Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 18 Jul 2018 20:25:37 +0000
From:      Grzegorz Junka <list1@gjunka.com>
To:        Patrick Proniewski <patpro@patpro.net>
Cc:        freebsd-security@freebsd.org
Subject:   Re: Possible break-in attempt?
Message-ID:  <fd0ab13d-0dda-fa5d-a867-533720d9f47f@gjunka.com>
In-Reply-To: <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net>
References:  <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com> <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Thank you Patrick. I don't receive that many of them. Maybe a dozen or 
so since I've set up my server, which was a few years ago. Mostly with 
the same IP but sometimes different IP as well. And all those I've 
received so far were in the last few months.

They surprise me because on the firewall the sshd is forwarded from a 
non-standard port (i.e. port 22 isn't open).

I am interested what security precaution FreeBSD is trying to do here. 
Is the sshd server receiving an ssh login request from an IP, that can't 
be resolved back to a domain in the reverse DNS (PTR) record for that IP?


On 18/07/2018 20:13, Patrick Proniewski wrote:
> Hi,
>
> You can ignore them totally (you should), and if you can't, make sure you limit possibility of brute force attack on your sshd:
> - configure a firewall to stop them
> - and/or activate blacklistd on sshd
> - and/or change listening port of sshd
>
> I get thousands of these every day, won't kill you and not worth losing your time.
>
>> On 18 juil. 2018, at 22:07, Grzegorz Junka <list1@gjunka.com> wrote:
>>
>> Sometimes I am receiving messages like this from my server:
>>
>> nas.myserver.mydomain.com login failures:
>> Jul 17 08:35:02 nas sshd[5994]: reverse mapping checking getaddrinfo for 162.132-254-62.static.virginmediabusiness.co.uk [62.254.132.162] failed - POSSIBLE BREAK-IN ATTEMPT!
>>
>> On different days they are from different IPs and they would-be mapped to different reverse dns names. How to deal with those messages/attempts?
>>
>> GrzegorzJ
>>
>> _______________________________________________
>> freebsd-security@freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-security
>> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
>




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fd0ab13d-0dda-fa5d-a867-533720d9f47f>