Date: Tue, 14 Sep 2004 22:23:17 -0400 From: Glenn Sieb <ges+lists@wingfoot.org> To: John DeStefano <deesto@yahoo.com> Cc: freebsd-questions@freebsd.org Subject: Re: increasing failed sshd logins/clearing breadcrumb trails Message-ID: <4147A795.7070400@wingfoot.org> In-Reply-To: <20040915021543.85849.qmail@web52907.mail.yahoo.com> References: <20040915021543.85849.qmail@web52907.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
John DeStefano said the following on 9/14/2004 10:15 PM: >I've noticed a few posts over the past week or so regarding users' >servers being probed by remote ssh attempts. Coincidentally (or >perhaps not so), around that time, I began getting quite a few records >of such attempts to my server, at the rate of about 3 tries per IP, and >about three IPs per night. Unfortunately, last night (Mon Sep 13), >this attack was much more concentrated and persistent: someone from (or >spoofing from) one IP (211.250.185.100) hammered my server with login >attempts over a 20-minute period. The last report I got was a final, >failed root password at 20:22:13 Eastern Time (GMT-5:00). > > I've been getting this for weeks. They're all under APNIC, and emails to abuse@the involved networks has gone unanswered. The easiest way to protect this is to check your sshd_config and set: PermitRootLogin no Which, if you're exposed to the 'Net would be a sane practice--force people to log in as themselves and su (or sudo or sudoscript) to root. Admittedly, I am not sure about the rest of your posting. When I run last, (on 4.10-STABLE) it shows logins back to the 1st of September. Best, Glenn
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4147A795.7070400>