From owner-freebsd-questions@FreeBSD.ORG Mon Nov 13 06:32:03 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9E36416A407 for ; Mon, 13 Nov 2006 06:32:03 +0000 (UTC) (envelope-from bocha@academ.org) Received: from mail.academ.org (mail.academ.org [81.1.226.250]) by mx1.FreeBSD.org (Postfix) with ESMTP id 21C1643D5C for ; Mon, 13 Nov 2006 06:32:02 +0000 (GMT) (envelope-from bocha@academ.org) Received: from mail.academ.org (localhost [127.0.0.1]) by mail.academ.org (Postfix) with ESMTP id A6913321076 for ; Mon, 13 Nov 2006 12:19:55 +0600 (NOVT) Received: from [10.10.10.210] (qportal.academ.org [85.118.231.59]) by mail.academ.org (Postfix) with ESMTP id 81018321062 for ; Mon, 13 Nov 2006 12:19:52 +0600 (NOVT) From: Bachilo Dmitry To: freebsd-questions@freebsd.org Date: Mon, 13 Nov 2006 12:19:27 +0600 User-Agent: KMail/1.9.1 References: <20061113060528.GA7646@best.com> In-Reply-To: <20061113060528.GA7646@best.com> MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200611131219.27949.bocha@academ.org> X-AV-Checked: ClamAV Subject: Re: Blocking SSH Brute-Force Attacks: What Am I Doing Wrong? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Nov 2006 06:32:03 -0000 =F7 =D3=CF=CF=C2=DD=C5=CE=C9=C9 =CF=D4 =F0=CF=CE=C5=C4=C5=CC=D8=CE=C9=CB 13= =CE=CF=D1=C2=D2=D1 2006 12:05 Leo L. Schwab =CE=C1=D0=C9=D3=C1=CC(a): > I recently installed FreeBSD 6.1 on my gateway. It replaced an > installation of FreeBSD 4.6.8 (fresh install, not an upgrade) on which I > had disabled the SSH server. Since all the bugs in SSH are fixed now ( := =2D) > ), I thought I'd leave the server on, and am somewhat dismayed to discover > that I now get occasional brute-force/dictionary attacks on the port. > > A little Googling revealed a couple of potentially useful tools: > 'sshit' and 'bruteblock', both of which notice repeated login attempts fr= om > a given IP address and blackhole it in the firewall. I first tried > 'sshit', but after a couple days, I noticed in my daily reports that I was > still getting lengthy bruteforce attempts, suggesting the 'sshit' was not > working. > > So I uninstalled 'sshit' and installed 'bruteblock'. But again a > couple days later, the logs showed lengthy bruteforce attempts going > unblocked. > > The relevant lines from my /etc/syslog.conf file are: > > ---- > auth.info;authpriv.info /var/log/auth.log > auth.info;authpriv.info | exec /usr/local/sbin/bruteblock -f > /usr/local/etc/bruteblock/ssh.conf ---- > > Any hints as to what I might be doing wrong? > > Thanks, > Schwab > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" Why don't you just relax? :-) All my FreeBSD servers are bruteforced every= =20 second. So what?=20 =2D-=20 =2D----------------------- =F3 =D5=D7=C1=D6=C5=CE=C9=C5=CD, =E2=C1=DE=C9=CC=CF =E4=CD=C9=D4=D2=C9=CA Best Regards, Bachilo Dmitry