Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 9 May 2006 16:16:35 +0100
From:      jad@nominet.org.uk
To:        "M. Goodell" <freebsdutah@yahoo.com>
Cc:        FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: System Intrustion Detection
Message-ID:  <OFC9ACE9E6.6E9E5938-ON80257169.00520F5C-80257169.0053A311@nominet.org.uk>
In-Reply-To: <20060509145403.71699.qmail@web32413.mail.mud.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hi,

I would suggest using ssh with RSA key pairs and passphrases only. Dont 
allow password based login or root login over ssh. Only allow root to 
login using the console and use sudo for all admin tasks.

I have not tried this myself but you could use tcpwrappers and write a 
script to add the IP address from repeated failed messages to the 
hosts.deny file. There are various scripts already written to do this. A 
quick goggle search found this 
http://security.linux.com/article.pl?sid=05/09/15/1655234 (its about linux 
but I am sure the same approach applies to FreeBSD.)

Hope this helps
John

owner-freebsd-questions@freebsd.org wrote on 09/05/2006 15:54:03:

> More and more each day I am seeing my root emails contain hundreds 
> of entries like this:
> 
>   May  8 02:23:35 warpstone sshd[26092]: Failed password for root 
> from 222.185.245.208 port 50519 ssh2
> May  8 16:37:41 warpstone ftpd[34713]: FTP LOGIN FAILED FROM 211.44.
> 250.152, Administrator
> 
>   Basically, people are attemtpting to hack into my server often 
> with a few thousands of attempts each day. What measures can I take 
> to stop these attempts? Is there a way I can detect these attacks 
> and automatically cut them off? Are any of the security ports 
> effective against this?
> 
>   Thank you!
> 
>   M Goodell
> 
> 
> ---------------------------------
> Yahoo! Messenger with Voice. PC-to-Phone calls for ridiculously low 
rates.
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to 
"freebsd-questions-unsubscribe@freebsd.org"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?OFC9ACE9E6.6E9E5938-ON80257169.00520F5C-80257169.0053A311>