Date: Fri, 31 Mar 2006 10:32:04 -0500 From: "fbsd_user" <fbsd_user@a1poweruser.com> To: "Nathan Vidican" <nvidican@wmptl.com>, <questions@freebsd.org> Subject: RE: repeated ssh login attempts/failure/break-in attempts from kiddy script Message-ID: <MIEPLLIBMLEEABPDBIEGAEMAHDAA.fbsd_user@a1poweruser.com> In-Reply-To: <442D31C6.5050700@wmptl.com>
next in thread | previous in thread | raw e-mail | index | archive | help
What you are seeing is ssh doing it's job like its designed to do. This is not anything you have to worry about. If you don't want to see these messages in your auth.log then change syslog.conf to only send critical messages to the log. There are a few different ports in the FreeBSD ports collection which address this problem by adding deny ip address rules to your firewall. The denyhosts port is the most popular. But this is just make busy work as it does not really provide any greater security than ssh is providing it's self. The facts of life is script kiddies and robots roll through ranges of ip address looking for open ssh ports and then mount a attack. There is nothing you can do about this except change the port number ssh uses to some high port number. With only 4 remote ssh users far better to change the port number ssh uses and just have your remote ssh users add the port number to use in their ssh client. Here is document to explain how to do that in detail. http://elibrary.fultus.com/technical/index.jsp?topic=/com.fultus.doc s.software/books/ssh_how-to/cover.html -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Nathan Vidican Sent: Friday, March 31, 2006 8:43 AM To: questions@freebsd.org Subject: repeated ssh login attempts/failure/break-in attempts from kiddy script Noted recently in auth.log, a string of connection attempts repeated/failed over and over from one host - looks like a script someone's running, tries all kinds of various usernames, etc... attempts like 100-200 logins, fails and goes away. Few hours go by, and another such attempt, from a different IP comes in. If I'm here and just happen to notice them - simple ipfw add deny... does the trick, but is there not a way to limit the login attempts for a certain period of time? ie: after 4 failed attempts from IP _BLANK_ in less than _BLANK_ minutes, deny all attempts and drop connection from said IP... possible? Any suggestions/ideas? Thus far, no one has managed to login (there are only three accounts which even have a shell or can login via ssh... but still not the point). I'd just like to get rid of the problem and save my auth.log file for perhaps something more useful ;) -- Nathan Vidican nvidican@wmptl.com Windsor Match Plate & Tool Ltd. http://www.wmptl.com/ _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGAEMAHDAA.fbsd_user>