Date: Thu, 21 Aug 2008 22:18:53 +0200 From: Eugene Butusov <ebutusov@gmail.com> To: Mikhail Teterin <mi+mill@aldan.algebra.com> Cc: freebsd-security@freebsd.org, freebsd-stable@FreeBSD.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts Message-ID: <48ADCDAD.80507@gmail.com> In-Reply-To: <48ADA81E.7090106@aldan.algebra.com> References: <48ADA81E.7090106@aldan.algebra.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Mikhail Teterin pisze:
> Hello!
>
> A machine I manage remotely for a friend comes under a distributed ssh
> break-in attack every once in a while. Annoyed (and alarmed) by the
> messages like:
>
> Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180
> Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180
> Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180
> Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from 85.234.158.180
>
> I wrote an awk-script, which adds a block of the attacking IP-address to
> the ipfw-rules after three such "invalid user" attempts with:
>
> ipfw add 550 deny ip from ip
>
> The script is fed by syslogd directly -- through a syslog.conf rule
> ("|/opt/sbin/auth-log-watch").
Hi,
You should look at 'bruteblock' (ports/security), it has similar
fuctionality. It also provides daemon process, bruteblockd, which is
responsible for removing entries from ipfw table.
Best regards,
--
_/_/ .. Eugene Butusov
_/_/ ... www.devilka.info
_/_/ .... ebutusov(at)gmail(dot)com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48ADCDAD.80507>