From owner-freebsd-questions@FreeBSD.ORG Tue Feb 7 09:13:09 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 170B416A422 for ; Tue, 7 Feb 2006 09:13:09 +0000 (GMT) (envelope-from merv@merv.org.uk) Received: from mta07-winn.ispmail.ntl.com (mta07-winn.ispmail.ntl.com [81.103.221.47]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2A82943D46 for ; Tue, 7 Feb 2006 09:13:07 +0000 (GMT) (envelope-from merv@merv.org.uk) Received: from aamta12-winn.ispmail.ntl.com ([81.103.221.35]) by mta07-winn.ispmail.ntl.com with ESMTP id <20060207091306.IQBQ19933.mta07-winn.ispmail.ntl.com@aamta12-winn.ispmail.ntl.com>; Tue, 7 Feb 2006 09:13:06 +0000 Received: from freeBSD.merv.org.uk ([82.9.232.20]) by aamta12-winn.ispmail.ntl.com with ESMTP id <20060207091305.XGEG12811.aamta12-winn.ispmail.ntl.com@freeBSD.merv.org.uk>; Tue, 7 Feb 2006 09:13:05 +0000 Received: from localhost (localhost.merv.org.uk [127.0.0.1]) by freeBSD.merv.org.uk (Postfix) with ESMTP id 6C50BB97F; Tue, 7 Feb 2006 09:17:31 +0000 (GMT) Received: from freeBSD.merv.org.uk ([127.0.0.1]) by localhost (freeBSD.merv.org.uk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 68564-10; Tue, 7 Feb 2006 09:17:27 +0000 (GMT) Received: by freeBSD.merv.org.uk (Postfix, from userid 1001) id C06CDB978; Tue, 7 Feb 2006 09:17:27 +0000 (GMT) From: "Nigel (Merv) Hughes" To: freebsd-questions@freebsd.org Date: Tue, 7 Feb 2006 09:17:26 +0000 User-Agent: KMail/1.9.1 References: <20060206162304.GA83056@gilmer.org> In-Reply-To: <20060206162304.GA83056@gilmer.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200602070917.27095.merv@merv.org.uk> X-Virus-Scanned: amavisd-new at merv.org.uk Cc: Brad Gilmer Subject: Re: sshd possible breakin attempt messages X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Feb 2006 09:13:09 -0000 Hi Brad, I don't know much about the nuts and bolts of FreeBSD or Security, but I resently had the same problem as you. I found that the Denyhosts port (http://denyhosts.sourceforge.net/index.html) fixed the problem very well. The non-standard, host.evil, set-up works best with the FreeBSD host.allow format. You end up with a host.allow that looks a bit like this: # # Denyhost Cron Job checks the logs and adds # the bad IPs to hosts.evil # ALL: /usr/local/etc/hosts.evil : deny # # Trust everyone until the logs say they tried a bad thing. # ALL : ALL : allow The FAQs on the website are very good and the Denyhosts' config file is well commented so the set-up and install is very easy. I hope this helps. Merv On Monday 06 February 2006 16:23, Brad Gilmer wrote: > Hello all, > > I guess one of the banes of our existance as Sys Admins is that people are > always pounding away at our systems trying to break in. Lately, I have > been getting hit with several hundred of the messages below per dayin my > security report output... > > gilmer.org login failures: > Feb 5 11:18:17 gilmer sshd[78078]: reverse mapping checking getaddrinfo > for 206-171-37-232.ded.pacbell.net failed - POSSIBLE BREAKIN ATTEMPT! Feb > 5 11:18:18 gilmer sshd[78080]: reverse mapping checking getaddrinfo for > 206-171-37-232.ded.pacbell.net failed - POSSIBLE BREAKIN ATTEMPT! Feb 5 > 11:18:20 gilmer sshd[78082]: reverse mapping checking getaddrinfo for > 206-171-37-232.ded.pacbell.net failed - POSSIBLE BREAKIN ATTEMPT! > > I am running FreeBSD 5.4 RELEASE, and right now this box is not a > production machine, but I am going to be taking it live fairly soon. > Questions: > > 1) Is there anything I should be doing to thwart this particular attack? > 2) Given that I am on 5.4, should I upgrade my sshd or do anything else at > this point to make sure my machine is as secure as possible? 3) > (Meta-question) - Should I upgrade to 6.0 before I go live to be sure I am > in the best possible security situation going forward? Should I wait until > 6.1 for bug fixes (generally I am opposed to n.0 anything). > > Thanks > Brad > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org"