From owner-freebsd-questions@FreeBSD.ORG Tue Jan 2 13:22:59 2007 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CC80916A50E for ; Tue, 2 Jan 2007 13:22:59 +0000 (UTC) (envelope-from nvidican@wmptl.com) Received: from wmptl.net (mail.wmptl.com [216.8.159.133]) by mx1.freebsd.org (Postfix) with ESMTP id 8F40913C45D for ; Tue, 2 Jan 2007 13:22:59 +0000 (UTC) (envelope-from nvidican@wmptl.com) Received: from [10.0.0.11] ([10.0.0.11]) by wmptl.net (8.13.4/8.13.4) with ESMTP id l02DCZr6074446 for ; Tue, 2 Jan 2007 08:12:35 -0500 (EST) (envelope-from nvidican@wmptl.com) Message-ID: <459A5A45.4080309@wmptl.com> Date: Tue, 02 Jan 2007 08:12:37 -0500 From: Nathan Vidican User-Agent: Thunderbird 1.5.0.7 (X11/20061027) MIME-Version: 1.0 To: questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.54 on 10.0.0.80 Cc: Subject: sshd break-in attempt X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Jan 2007 13:22:59 -0000 We keep getting attempts from what look like a username/password scanner utility to login to our servers externally via sshd. Thankfully, we're not ignorant enough to leave common account names open, however it is annoying to say the least. We're getting things like this: Jan 1 09:07:34 fw sshd[66547]: Invalid user staff from 208.44.210.15 Jan 1 09:07:35 fw sshd[66549]: Invalid user sales from 208.44.210.15 Jan 1 09:07:36 fw sshd[66551]: Invalid user recruit from 208.44.210.15 Jan 1 09:07:37 fw sshd[66553]: Invalid user alias from 208.44.210.15 Jan 1 09:07:38 fw sshd[66555]: Invalid user office from 208.44.210.15 Jan 1 09:07:38 fw sshd[66557]: Invalid user samba from 208.44.210.15 Jan 1 09:07:39 fw sshd[66559]: Invalid user tomcat from 208.44.210.15 Jan 1 09:07:40 fw sshd[66561]: Invalid user webadmin from 208.44.210.15 Jan 1 09:07:41 fw sshd[66563]: Invalid user spam from 208.44.210.15 Jan 1 09:07:42 fw sshd[66565]: Invalid user virus from 208.44.210.15 Jan 1 09:07:43 fw sshd[66567]: Invalid user cyrus from 208.44.210.15 Jan 1 09:07:43 fw sshd[66569]: Invalid user staff from 208.44.210.15 Jan 1 09:07:44 fw sshd[66571]: Invalid user oracle from 208.44.210.15 In our 'periodic daily' report/email, (only the list goes on for hundreds of attempts). Anyhow, long story short; is there not an easy way to make sshd block or deny hosts temporarily if X number of invalid login attempts are made within a minute's time? Must I use an external wrapper to accomplish this, or can it be done with options to sshd on it's own? -- Nathan Vidican nvidican@wmptl.com Windsor Match Plate & Tool Ltd. http://www.wmptl.com/