From owner-freebsd-questions@FreeBSD.ORG Wed Jan 3 14:06:53 2007 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A324416A407 for ; Wed, 3 Jan 2007 14:06:53 +0000 (UTC) (envelope-from michael@ircgnet.net) Received: from ws6-2.us4.outblaze.com (ws6-2.us4.outblaze.com [205.158.62.197]) by mx1.freebsd.org (Postfix) with SMTP id 907DB13C43E for ; Wed, 3 Jan 2007 14:06:53 +0000 (UTC) (envelope-from michael@ircgnet.net) Received: (qmail 21310 invoked from network); 3 Jan 2007 13:40:12 -0000 Received: from unknown (HELO ?127.0.0.1?) (michael@ircgnet.net@67.168.235.146) by ws6-2.us4.outblaze.com with SMTP; 3 Jan 2007 13:40:11 -0000 Message-ID: <459BB1CA.1010008@gmail.com> Date: Wed, 03 Jan 2007 05:38:18 -0800 From: Michael User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: Per olof Ljungmark References: <459A5A45.4080309@wmptl.com> <459A6AF0.30305@intersonic.se> In-Reply-To: <459A6AF0.30305@intersonic.se> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: questions@freebsd.org, Nathan Vidican Subject: Re: sshd break-in attempt X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jan 2007 14:06:53 -0000 Per olof Ljungmark wrote: > Nathan Vidican wrote: >> We keep getting attempts from what look like a username/password >> scanner utility to login to our servers externally via sshd. >> Thankfully, we're not ignorant enough to leave common account names >> open, however it is annoying to say the least. We're getting things >> like this: >> >> Jan 1 09:07:34 fw sshd[66547]: Invalid user staff from 208.44.210.15 >> Jan 1 09:07:35 fw sshd[66549]: Invalid user sales from 208.44.210.15 >> Jan 1 09:07:36 fw sshd[66551]: Invalid user recruit from 208.44.210.15 >> Jan 1 09:07:37 fw sshd[66553]: Invalid user alias from 208.44.210.15 >> Jan 1 09:07:38 fw sshd[66555]: Invalid user office from 208.44.210.15 >> Jan 1 09:07:38 fw sshd[66557]: Invalid user samba from 208.44.210.15 >> Jan 1 09:07:39 fw sshd[66559]: Invalid user tomcat from 208.44.210.15 >> Jan 1 09:07:40 fw sshd[66561]: Invalid user webadmin from 208.44.210.15 >> Jan 1 09:07:41 fw sshd[66563]: Invalid user spam from 208.44.210.15 >> Jan 1 09:07:42 fw sshd[66565]: Invalid user virus from 208.44.210.15 >> Jan 1 09:07:43 fw sshd[66567]: Invalid user cyrus from 208.44.210.15 >> Jan 1 09:07:43 fw sshd[66569]: Invalid user staff from 208.44.210.15 >> Jan 1 09:07:44 fw sshd[66571]: Invalid user oracle from 208.44.210.15 >> >> In our 'periodic daily' report/email, (only the list goes on for >> hundreds of attempts). Anyhow, long story short; is there not an easy >> way to make sshd block or deny hosts temporarily if X number of >> invalid login attempts are made within a minute's time? Must I use an >> external wrapper to accomplish this, or can it be done with options >> to sshd on it's own? > > There are several ways to block the attacks, one pointed out by first > respondent, we use Denyhosts and sshblock here. > > Google should point you several others. > http://www.google.se/search?hl=en&q=ssh+attacks&btnG=Google+Search > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > As I have mentioned before here on this list, we use Blockhosts which has been extremely effective in blocking these after X number of attempts. You can find it here: http://www.aczoom.com/cms/blockhosts Give it a go, I think you'll be very happy with the results. Michael