From owner-freebsd-stable@FreeBSD.ORG Fri Dec 22 08:06:26 2006 Return-Path: X-Original-To: freebsd-stable@FreeBSD.ORG Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6223916A412 for ; Fri, 22 Dec 2006 08:06:26 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.freebsd.org (Postfix) with ESMTP id DFC8513C44B for ; Fri, 22 Dec 2006 08:06:25 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (apqbqj@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id kBM86Iio035286; Fri, 22 Dec 2006 09:06:23 +0100 (CET) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id kBM86HgT035285; Fri, 22 Dec 2006 09:06:17 +0100 (CET) (envelope-from olli) Date: Fri, 22 Dec 2006 09:06:17 +0100 (CET) Message-Id: <200612220806.kBM86HgT035285@lurza.secnetix.de> From: Oliver Fromme To: freebsd-stable@FreeBSD.ORG, gmenhennitt@optusnet.com.au In-Reply-To: <458AF5BA.5020908@optusnet.com.au> X-Newsgroups: list.freebsd-stable User-Agent: tin/1.8.2-20060425 ("Shillay") (UNIX) (FreeBSD/4.11-STABLE (i386)) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Fri, 22 Dec 2006 09:06:24 +0100 (CET) Cc: Subject: Re: Block IP X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-stable@FreeBSD.ORG, gmenhennitt@optusnet.com.au List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Dec 2006 08:06:26 -0000 Graham Menhennitt wrote: > Christopher Hilton wrote: > > If it's at all possible switch to using public keys for authentication > > with ssh and disallow password authentication. This completely stops > > the brute forcing attacks from filling up your periodic security mail. > Are you sure about that? I only allow PublickeyAuthentication ssh2 > connections but I get lots of security mail messages like: > > Nov 16 01:44:08 maxwell sshd[70067]: Invalid user marcos from 202.54.49.7 > Nov 16 01:44:23 maxwell sshd[70067]: reverse mapping checking getaddrinfo for 49-7.broadband.vsnl.net.in failed - POSSIBLE BREAKIN ATTEMPT! Those are caused by different things. They're not caused by wrong passwords, but by an illegal user name (first line) or by non-matching reverse DNS (second line). These things are checked even bevore any user keys are exchanged, so the authentication method doesn't matter. They can be savely ignored, because you're immune to brute- force attacks. If you don't want to see them, a simple "egrep -v ..." in /etc/periodic/security/800.loginfail will do. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. 'Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom.'