From owner-freebsd-questions@FreeBSD.ORG Tue May 9 15:24:11 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB94A16A59A for ; Tue, 9 May 2006 15:24:11 +0000 (UTC) (envelope-from danielby@slightlystrange.org) Received: from catflap.slightlystrange.org (cpc6-cmbg1-0-0-cust82.cmbg.cable.ntl.com [82.10.236.83]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2841443D73 for ; Tue, 9 May 2006 15:24:04 +0000 (GMT) (envelope-from danielby@slightlystrange.org) Received: from danielby by catflap.slightlystrange.org with local (Exim 4.62 #0) id 1FdU4A-0003G8-Vm by authid for ; Tue, 09 May 2006 16:24:02 +0100 Date: Tue, 9 May 2006 16:24:02 +0100 From: Daniel Bye To: FreeBSD Questions Message-ID: <20060509152402.GD1517@catflap.slightlystrange.org> Mail-Followup-To: FreeBSD Questions References: <20060509145403.71699.qmail@web32413.mail.mud.yahoo.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="IU5/I01NYhRvwH70" Content-Disposition: inline In-Reply-To: <20060509145403.71699.qmail@web32413.mail.mud.yahoo.com> User-Agent: Mutt/1.4.2.1i X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: danielby@slightlystrange.org X-SA-Exim-Scanned: No (on catflap.slightlystrange.org); SAEximRunCond expanded to false Subject: Re: System Intrustion Detection X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Daniel Bye List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 15:24:12 -0000 --IU5/I01NYhRvwH70 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, May 09, 2006 at 07:54:03AM -0700, M. Goodell wrote: > More and more each day I am seeing my root emails contain hundreds of ent= ries like this: > =20 > May 8 02:23:35 warpstone sshd[26092]: Failed password for root from 22= 2.185.245.208 port 50519 ssh2 > May 8 16:37:41 warpstone ftpd[34713]: FTP LOGIN FAILED FROM 211.44.250.1= 52, Administrator > =20 > Basically, people are attemtpting to hack into my server often with=20 > a few thousands of attempts each day. What measures can I take to stop=20 > these attempts? Is there a way I can detect these attacks and=20 > automatically cut them off? Are any of the security ports effective=20 > against this? Don't feel too bad - the little bastards try it on anywhere and everywhere. There are a few things you can do to stop them in their tracks. From what I gather, the pf firewall provides some neat table functionality that can be put to use in this situation. I have never used pf, so will not say more of it here. I use Denyhosts, which is intended to stop brute force ssh attacks, but which can be used to deny unwanted/unwelcome connections to any or all services. It's in the ports, is easy to set up and works really well. There is a synchronisation server from which it can download IP addresses that have been logged trying to mount attacks, and allows your DenyHosts to upload addresses that have tried to crack you. There are a couple of things you can do to protect your sshd. First, allow only public key authentication. This may not be practical in all situations, but it is a very good way of preventing dictionary attacks from succeeding! Secondly, set AllowGroups or AllowUsers in your sshd.config, so that only explicitly permitted users or groups can request a login. HTH Dan --=20 Daniel Bye PGP Key: ftp://ftp.slightlystrange.org/pgpkey/dan.asc PGP Key fingerprint: D349 B109 0EB8 2554 4D75 B79A 8B17 F97C 1622 166A _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ --IU5/I01NYhRvwH70 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFEYLQSixf5fBYiFmoRAsyWAJ4gpRySpS8llh3KC/gxyXYRHFnVKQCg1mRM GKj/N2MHai0bUnCgenHU3uI= =9+lU -----END PGP SIGNATURE----- --IU5/I01NYhRvwH70--