Date: Tue, 19 Oct 2004 09:22:01 +1000 From: Murray Taylor <murraytaylor@bytecraftsystems.com> To: Rob <spamrefuse@yahoo.com> Cc: freebsdquestions <freebsd-questions@freebsd.org> Subject: Re: Are these attempts by password crackers?? Message-ID: <1098141721.25732.165.camel@wstaylorm.dand06.au.bytecraft.au.com> In-Reply-To: <41736A22.7000900@yahoo.com> References: <20041018055122.GB35360@ns2.wananchi.com> <41736A22.7000900@yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
The AllowUser parameter in ssh_config is handy too. man sshd_config (5) On Mon, 2004-10-18 at 17:00, Rob wrote: > Odhiambo Washington wrote: > > Hello users. > > I run several 5.2.1 boxes (in production). > > > > For weeks now, I have seen alot of notifications from periodic/daily > > with the output below and I have questions: > > > > > > 1. Is this some virus or some crackers playing around? > > 2. Why only on 5.2.1 systems and not on any of the 4.10 boxes that I > > also run? > > 3. Am I supposed to be worried at all? Well, I am not ;) > > I hate the messages though and there must be something here that I > > need to do. > > > > > > <cut> > > > > Oct 17 10:44:10 gw sshd[4170]: Failed password for nobody from 210.80.96.185 port 52215 ssh2 > > Oct 17 10:44:19 gw sshd[4172]: Failed password for patrick from 210.80.96.185 port 52337 ssh2 > > These attackers seem to always poke at port 22 for ssh holes. > I have three ways to prevent access, from easy to more difficult setup: > > 1. restrict sshd access in /etc/hosts.allow, by an entry like > > sshd : 225.50.0.0/255.255.0.0 : allow > [...whatever access restrictions to other services...] > ALL : ALL : deny > > where 225.50.0.0/255.255.0.0 is an example of the sub-network your on. > Only IPs from this network can access your PC via ssh. > > 2. shift your sshd access to another port, by modifing /etc/rc.conf > > sshd_flags="-p 4321" > > but then users should be informed to do "ssh -p 4321 ...." instead. > Note: 4321 is just an example; choose your own number > 1024 here. > > 3. Use a firewall, that allows access via port 22 only for restricted IPs, > but the other sshd port for the whole world. > Modify /etc/rc.conf: > sshd_flags="-p 22 -p 4321" > > And for example with ipfw: > > [...] > check-state > [...] > allow tcp from any to me 4321 in via rl0 setup > allow tcp from 225.50.0.0/16 to me ssh in via rl0 setup > > (replace "rl0" by your own device). > > > I am using (3) and the sshd attacks have dropped to zero. > > Rob. > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > > **************************************************************** > This Email has been scanned for Viruses by MailMarshal. > **************************************************************** -- Murray Taylor Special Projects Engineer --------------------------------- Bytecraft Systems & Entertainment P: +61 3 8710 2555 F: +61 3 8710 2599 D: +61 3 9238 4275 M: +61 417 319 256 E: murraytaylor@bytecraftsystems.com or visit us on the web http://www.bytecraftsystems.com http://www.bytecraftentertainment.com --------------------------------------------------------------- The information transmitted in this e-mail is for the exclusive use of the intended addressee and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of it, or the taking of any action in reliance upon this information by persons and/or entities other than the intended recipient is prohibited. If you received this in error, please inform the sender and/or addressee immediately and delete the material. E-mails may not be secure, may contain computer viruses and may be corrupted in transmission. Please carefully check this e-mail (and any attachment) accordingly. No warranties are given and no liability is accepted for any loss or damage caused by such matters. --------------------------------------------------------------- **************************************************************** This Email has been scanned for Viruses by MailMarshal. ****************************************************************
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1098141721.25732.165.camel>