Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 18 Jan 2010 16:53:14 -0600
From:      Adam Vande More <amvandemore@gmail.com>
To:        David Southwell <david@vizion2000.net>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: /etc/hosts.deniedssh
Message-ID:  <6201873e1001181453n2e907e9ex11ffbc3a37233a@mail.gmail.com>
In-Reply-To: <201001182239.20153.david@vizion2000.net>
References:  <201001182239.20153.david@vizion2000.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, Jan 18, 2010 at 4:39 PM, David Southwell <david@vizion2000.net>wrote:

> Examples from hosts.deniedssh
> I seem to be on the receiving end of a concerted series of unsuccessful
> break
> in attacks on one of our systems. One small part of the attack has
>  resulted
> in over 2000 entries in our hosts.deniedssh file in less than 1 hour.
>
> I would be interested in any comments on the small example shown below and
> any
> advice.
>
> Thanks in advance
>
> David
> r200-40-132-245.static.adinet.com.uy
> mail.munisanmiguel.gob.pe
> port-83-236-241-198.static.qsc.de
> pd95b50ce.dip0.t-ipconnect.de
> v32641.1blu.de
> dubovik.net
> r200-40-132-245.static.adinet.com.uy
> mail.munisanmiguel.gob.pe
> port-83-236-241-198.static.qsc.de
> pd95b50ce.dip0.t-ipconnect.de
> v32641.1blu.de
> dubovik.net
> r200-40-132-245.static.adinet.com.uy
> mail.munisanmiguel.gob.pe
> port-83-236-241-198.static.qsc.de
> pd95b50ce.dip0.t-ipconnect.de
> v32641.1blu.de
> dubovik.net
> r200-40-132-245.static.adinet.com.uy
> mail.munisanmiguel.gob.pe
> port-83-236-241-198.static.qsc.de
> pd95b50ce.dip0.t-ipconnect.de
> v32641.1blu.de
> dubovik.net
> r200-40-132-245.static.adinet.com.uy
> mail.munisanmiguel.gob.pe
> port-83-236-241-198.static.qsc.de
> pd95b50ce.dip0.t-ipconnect.de
> v32641.1blu.de
> dubovik.net
> r200-40-132-245.static.adinet.com.uy
> mail.munisanmiguel.gob.pe
> port-83-236-241-198.static.qsc.de
> pd95b50ce.dip0.t-ipconnect.de
> v32641.1blu.de
> dubovik.net
> r200-40-132-245.static.adinet.com.uy
> mail.munisanmiguel.gob.pe
> port-83-236-241-198.static.qsc.de
> pd95b50ce.dip0.t-ipconnect.de
> v32641.1blu.de
> dubovik.net
> r200-40-132-245.static.adinet.com.uy
>

Looks like your conf could use some love.  Why are you resolving ip's?
Thresholds can be lowered.  Are you syncing with remote list?

-- 
Adam Vande More

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6201873e1001181453n2e907e9ex11ffbc3a37233a>