From owner-freebsd-security@freebsd.org Wed Jul 18 20:25:45 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 638881031C0B for ; Wed, 18 Jul 2018 20:25:45 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from msa1.earth.yoonka.com (yoonka.com [88.98.225.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "msa1.earth.yoonka.com", Issuer "msa1.earth.yoonka.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id E80438B858 for ; Wed, 18 Jul 2018 20:25:44 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from ultrabook.yoonka.com (x2f7fcfa.dyn.telefonica.de [2.247.252.250]) (authenticated bits=0) by msa1.earth.yoonka.com (8.15.2/8.15.2) with ESMTPSA id w6IKPgXn039341 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 18 Jul 2018 20:25:43 GMT (envelope-from list1@gjunka.com) X-Authentication-Warning: msa1.earth.yoonka.com: Host x2f7fcfa.dyn.telefonica.de [2.247.252.250] claimed to be ultrabook.yoonka.com Subject: Re: Possible break-in attempt? To: Patrick Proniewski Cc: freebsd-security@freebsd.org References: <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com> <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net> From: Grzegorz Junka Message-ID: Date: Wed, 18 Jul 2018 20:25:37 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-GB-large X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jul 2018 20:25:45 -0000 Thank you Patrick. I don't receive that many of them. Maybe a dozen or so since I've set up my server, which was a few years ago. Mostly with the same IP but sometimes different IP as well. And all those I've received so far were in the last few months. They surprise me because on the firewall the sshd is forwarded from a non-standard port (i.e. port 22 isn't open). I am interested what security precaution FreeBSD is trying to do here. Is the sshd server receiving an ssh login request from an IP, that can't be resolved back to a domain in the reverse DNS (PTR) record for that IP? On 18/07/2018 20:13, Patrick Proniewski wrote: > Hi, > > You can ignore them totally (you should), and if you can't, make sure you limit possibility of brute force attack on your sshd: > - configure a firewall to stop them > - and/or activate blacklistd on sshd > - and/or change listening port of sshd > > I get thousands of these every day, won't kill you and not worth losing your time. > >> On 18 juil. 2018, at 22:07, Grzegorz Junka wrote: >> >> Sometimes I am receiving messages like this from my server: >> >> nas.myserver.mydomain.com login failures: >> Jul 17 08:35:02 nas sshd[5994]: reverse mapping checking getaddrinfo for 162.132-254-62.static.virginmediabusiness.co.uk [62.254.132.162] failed - POSSIBLE BREAK-IN ATTEMPT! >> >> On different days they are from different IPs and they would-be mapped to different reverse dns names. How to deal with those messages/attempts? >> >> GrzegorzJ >> >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >