From owner-freebsd-questions@FreeBSD.ORG Tue Jan 2 14:40:05 2007 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C016516A416 for ; Tue, 2 Jan 2007 14:40:05 +0000 (UTC) (envelope-from peo@intersonic.se) Received: from neonpark.inter-sonic.com (neonpark.inter-sonic.com [212.247.8.98]) by mx1.freebsd.org (Postfix) with ESMTP id 75D6013C459 for ; Tue, 2 Jan 2007 14:40:05 +0000 (UTC) (envelope-from peo@intersonic.se) X-Virus-Scanned: amavisd-new at inter-sonic.com Message-ID: <459A6AF0.30305@intersonic.se> Date: Tue, 02 Jan 2007 15:23:44 +0100 From: Per olof Ljungmark Organization: Intersonic AB User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: Nathan Vidican References: <459A5A45.4080309@wmptl.com> In-Reply-To: <459A5A45.4080309@wmptl.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: questions@freebsd.org Subject: Re: sshd break-in attempt X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Jan 2007 14:40:05 -0000 Nathan Vidican wrote: > We keep getting attempts from what look like a username/password scanner > utility to login to our servers externally via sshd. Thankfully, we're > not ignorant enough to leave common account names open, however it is > annoying to say the least. We're getting things like this: > > Jan 1 09:07:34 fw sshd[66547]: Invalid user staff from 208.44.210.15 > Jan 1 09:07:35 fw sshd[66549]: Invalid user sales from 208.44.210.15 > Jan 1 09:07:36 fw sshd[66551]: Invalid user recruit from 208.44.210.15 > Jan 1 09:07:37 fw sshd[66553]: Invalid user alias from 208.44.210.15 > Jan 1 09:07:38 fw sshd[66555]: Invalid user office from 208.44.210.15 > Jan 1 09:07:38 fw sshd[66557]: Invalid user samba from 208.44.210.15 > Jan 1 09:07:39 fw sshd[66559]: Invalid user tomcat from 208.44.210.15 > Jan 1 09:07:40 fw sshd[66561]: Invalid user webadmin from 208.44.210.15 > Jan 1 09:07:41 fw sshd[66563]: Invalid user spam from 208.44.210.15 > Jan 1 09:07:42 fw sshd[66565]: Invalid user virus from 208.44.210.15 > Jan 1 09:07:43 fw sshd[66567]: Invalid user cyrus from 208.44.210.15 > Jan 1 09:07:43 fw sshd[66569]: Invalid user staff from 208.44.210.15 > Jan 1 09:07:44 fw sshd[66571]: Invalid user oracle from 208.44.210.15 > > In our 'periodic daily' report/email, (only the list goes on for > hundreds of attempts). Anyhow, long story short; is there not an easy > way to make sshd block or deny hosts temporarily if X number of invalid > login attempts are made within a minute's time? Must I use an external > wrapper to accomplish this, or can it be done with options to sshd on > it's own? There are several ways to block the attacks, one pointed out by first respondent, we use Denyhosts and sshblock here. Google should point you several others. http://www.google.se/search?hl=en&q=ssh+attacks&btnG=Google+Search