From owner-freebsd-questions@FreeBSD.ORG Fri Jan 12 22:51:19 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 09E0F16A407 for ; Fri, 12 Jan 2007 22:51:19 +0000 (UTC) (envelope-from gerard@seibercom.net) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.225]) by mx1.freebsd.org (Postfix) with ESMTP id 7F68813C44B for ; Fri, 12 Jan 2007 22:51:18 +0000 (UTC) (envelope-from gerard@seibercom.net) Received: by wx-out-0506.google.com with SMTP id s18so917885wxc for ; Fri, 12 Jan 2007 14:51:17 -0800 (PST) Received: by 10.90.84.17 with SMTP id h17mr1108503agb.1168642277143; Fri, 12 Jan 2007 14:51:17 -0800 (PST) Received: from scorpio.seibercom.net ( [67.189.184.224]) by mx.google.com with ESMTP id 32sm4096669aga.2007.01.12.14.51.15; Fri, 12 Jan 2007 14:51:16 -0800 (PST) Received: from scorpio.seibercom.net (localhost [127.0.0.1]) by scorpio.seibercom.net (Postfix) with ESMTP id 3DD1FB860; Fri, 12 Jan 2007 17:51:14 -0500 (EST) Received: from [192.168.0.4] (boss.seibercom.net [192.168.0.4]) (Authenticated sender: gerard@scorpio.seibercom.net) by scorpio.seibercom.net (Postfix) with ESMTP id 8FC0CB83E; Fri, 12 Jan 2007 17:51:13 -0500 (EST) Date: Fri, 12 Jan 2007 17:51:32 -0500 From: Gerard Seibert To: User Questions Organization: Seibercom.NET In-Reply-To: <01f401c73694$417d7830$0a0aa8c0@rivendell> References: <2cd0a0da0701121343g7fa2535fv4a7b201f5a03aff2@mail.gmail.com> <01f401c73694$417d7830$0a0aa8c0@rivendell> X-Face: "\j?x](l|]4p?-1Bf@!wN<&p=$.}^k-HgL}cJKbQZ3r#Ar]\%U(#6}'?<3s7%(%(gxJxxcR nSNPNr*/^~StawWU9KDJ-CT0k$f#@t2^K&BS_f|?ZV/.7Q Message-Id: <20070112174744.37AD.GERARD@seibercom.net> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit X-Mailer: Becky! ver. 2.30 [en] X-Virus-Scanned: ClamAV using ClamSMTP Subject: Re: Please Help! How to STOP them... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: User Questions List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jan 2007 22:51:19 -0000 On Friday January 12, 2007 at 04:54:37 (PM) Reko Turja wrote: > >I am reading many hundred lines similar to below mentioned? > > > > Could you please advise me what to do and how can I make my box more > > secure? > > > > Jan 9 17:54:42 localhost sshd[5130]: reverse mapping checking > > getaddrinfo > > for bbs-83-179.189.218.on-nets.com [218.189.179.83] failed - > > POSSIBLE > > BREAK-IN ATTEMPT! > > Jan 9 17:54:42 localhost sshd[5130]: Invalid user sysadmin from > > 218.189.179.83 > > It's basically just script kiddies trying to get in using some ready > made user/password pairs. > > Lots of info covering this has been posted in these newsgroups > previously, but some things you might consider > > Moving your sshd port somewhere else than 22 - the prepackaged > "cracking" programs don't scan ports, just blindly try out the default > port - with determined/skilled attacker it's different matter entirely > though. Security through Obscurity is not true security at all. You are simply assuming that other ports are not being scanned. > > Use some kind of portblocker (lots in ports tree) which closes the > port after predetermined number of attempts - or as an alternative, > use PF to close the port for IP's in question after predetermined > number of connection attempts in given time. > > Use key based authentication and stop using passwords altogether. A very secure method. I would recommend this along with making sure your firewall is properly configured and all unnecessary ports closed, etc. > > Remember to keep ssh1 disabled as well as direct root access into ssh > from the ssh config file. -- Gerard For GOOGLE (L)Users: "RAM Disk" is not an installation procedure.