From owner-freebsd-questions@FreeBSD.ORG Mon Oct 18 07:00:51 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D380F16A4CE for ; Mon, 18 Oct 2004 07:00:51 +0000 (GMT) Received: from auk1.snu.ac.kr (auk1.snu.ac.kr [147.46.100.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 484A043D41 for ; Mon, 18 Oct 2004 07:00:51 +0000 (GMT) (envelope-from spamrefuse@yahoo.com) Received: from [147.46.44.181] (spamrefuse@yahoo.com) by auk1.snu.ac.kr (Terrace Internet Messaging Server) with ESMTP id 2004101815:59:22:343223.15513.3025140656 for ; Mon, 18 Oct 2004 15:59:22 +0900 (KST) Message-ID: <41736A22.7000900@yahoo.com> Date: Mon, 18 Oct 2004 16:00:50 +0900 From: Rob User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.2) Gecko/20041017 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Odhiambo Washington , freebsd-questions@freebsd.org References: <20041018055122.GB35360@ns2.wananchi.com> In-Reply-To: <20041018055122.GB35360@ns2.wananchi.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-TERRACE-SPAMMARK: YES-__TRSYS_LV__3 (SR:-5.58) (SRN:SPAMROBOT) ----------------- Subject: Re: Are these attempts by password crackers?? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Oct 2004 07:00:51 -0000 Odhiambo Washington wrote: > Hello users. > I run several 5.2.1 boxes (in production). > > For weeks now, I have seen alot of notifications from periodic/daily > with the output below and I have questions: > > > 1. Is this some virus or some crackers playing around? > 2. Why only on 5.2.1 systems and not on any of the 4.10 boxes that I > also run? > 3. Am I supposed to be worried at all? Well, I am not ;) > I hate the messages though and there must be something here that I > need to do. > > > > > Oct 17 10:44:10 gw sshd[4170]: Failed password for nobody from 210.80.96.185 port 52215 ssh2 > Oct 17 10:44:19 gw sshd[4172]: Failed password for patrick from 210.80.96.185 port 52337 ssh2 These attackers seem to always poke at port 22 for ssh holes. I have three ways to prevent access, from easy to more difficult setup: 1. restrict sshd access in /etc/hosts.allow, by an entry like sshd : 225.50.0.0/255.255.0.0 : allow [...whatever access restrictions to other services...] ALL : ALL : deny where 225.50.0.0/255.255.0.0 is an example of the sub-network your on. Only IPs from this network can access your PC via ssh. 2. shift your sshd access to another port, by modifing /etc/rc.conf sshd_flags="-p 4321" but then users should be informed to do "ssh -p 4321 ...." instead. Note: 4321 is just an example; choose your own number > 1024 here. 3. Use a firewall, that allows access via port 22 only for restricted IPs, but the other sshd port for the whole world. Modify /etc/rc.conf: sshd_flags="-p 22 -p 4321" And for example with ipfw: [...] check-state [...] allow tcp from any to me 4321 in via rl0 setup allow tcp from 225.50.0.0/16 to me ssh in via rl0 setup (replace "rl0" by your own device). I am using (3) and the sshd attacks have dropped to zero. Rob.