Date: Thu, 21 Aug 2008 21:58:00 +0200 From: Christian Laursen <xi@borderworlds.dk> To: Mikhail Teterin <mi+mill@aldan.algebra.com> Cc: freebsd-security@freebsd.org, freebsd-stable@FreeBSD.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts Message-ID: <ygfvdxu5eev.fsf@dominion.borderworlds.dk> In-Reply-To: <48ADA81E.7090106@aldan.algebra.com> (Mikhail Teterin's message of "Thu\, 21 Aug 2008 13\:38\:38 -0400") References: <48ADA81E.7090106@aldan.algebra.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Mikhail Teterin <mi+mill@aldan.algebra.com> writes: > A machine I manage remotely for a friend comes under a distributed ssh > break-in attack every once in a while. Annoyed (and alarmed) by the > messages like: > > Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180 > Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180 > Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180 > Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from 85.234.158.180 > > I wrote an awk-script, which adds a block of the attacking IP-address > to the ipfw-rules after three such "invalid user" attempts with: > > ipfw add 550 deny ip from ip I don't know if it will make your problem go away, but using ipfw tables for this seems to be a better idea than creating a new rule for every IP address. So you just need one rule: ipfw add 550 deny ip from table(1) And then when you want to add an IP address to the table: ipfw table 1 add <ip> You can add ranges too using the CIDR notation. -- Christian Laursen
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ygfvdxu5eev.fsf>