From owner-freebsd-questions@FreeBSD.ORG Wed Sep 15 02:23:25 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4D97716A4CE for ; Wed, 15 Sep 2004 02:23:25 +0000 (GMT) Received: from wingfoot.org (caduceus.wingfoot.org [64.32.179.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id D84DC43D41 for ; Wed, 15 Sep 2004 02:23:24 +0000 (GMT) (envelope-from ges+lists@wingfoot.org) Received: from localhost (localhost.wingfoot.org [127.0.0.1]) by wingfoot.org (Postfix) with ESMTP id 3DD781F446D; Tue, 14 Sep 2004 22:23:24 -0400 (EDT) Received: from wingfoot.org ([127.0.0.1]) by localhost (caduceus.wingfoot.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 26922-06; Tue, 14 Sep 2004 22:23:23 -0400 (EDT) Received: from [127.0.0.1] (unknown [64.32.179.50]) by wingfoot.org (Postfix) with ESMTP id 5EEA41F446C; Tue, 14 Sep 2004 22:23:23 -0400 (EDT) Message-ID: <4147A795.7070400@wingfoot.org> Date: Tue, 14 Sep 2004 22:23:17 -0400 From: Glenn Sieb User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040803 Thunderbird/0.7.3 Mnenhy/0.6.0.104 X-Accept-Language: en-us, en MIME-Version: 1.0 To: John DeStefano References: <20040915021543.85849.qmail@web52907.mail.yahoo.com> In-Reply-To: <20040915021543.85849.qmail@web52907.mail.yahoo.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at wingfoot.org cc: freebsd-questions@freebsd.org Subject: Re: increasing failed sshd logins/clearing breadcrumb trails X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Sep 2004 02:23:25 -0000 John DeStefano said the following on 9/14/2004 10:15 PM: >I've noticed a few posts over the past week or so regarding users' >servers being probed by remote ssh attempts. Coincidentally (or >perhaps not so), around that time, I began getting quite a few records >of such attempts to my server, at the rate of about 3 tries per IP, and >about three IPs per night. Unfortunately, last night (Mon Sep 13), >this attack was much more concentrated and persistent: someone from (or >spoofing from) one IP (211.250.185.100) hammered my server with login >attempts over a 20-minute period. The last report I got was a final, >failed root password at 20:22:13 Eastern Time (GMT-5:00). > > I've been getting this for weeks. They're all under APNIC, and emails to abuse@the involved networks has gone unanswered. The easiest way to protect this is to check your sshd_config and set: PermitRootLogin no Which, if you're exposed to the 'Net would be a sane practice--force people to log in as themselves and su (or sudo or sudoscript) to root. Admittedly, I am not sure about the rest of your posting. When I run last, (on 4.10-STABLE) it shows logins back to the 1st of September. Best, Glenn