From owner-freebsd-questions@FreeBSD.ORG Tue May 9 15:25:14 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 15E6E16A587 for ; Tue, 9 May 2006 15:25:14 +0000 (UTC) (envelope-from ean@istop.com) Received: from www.istop.com (www.istop.com [209.195.118.104]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D8A843D53 for ; Tue, 9 May 2006 15:25:08 +0000 (GMT) (envelope-from ean@istop.com) Received: from istop.com (ns.istop.com [209.195.118.109]) by www.istop.com (Postfix) with SMTP id 0012017C007; Tue, 9 May 2006 11:25:06 -0400 (EDT) Date: Tue, 9 May 2006 11:24:59 -0400 (EST) To: "M. Goodell" , "FreeBSD Questions" From: "Ean Kingston" X-Mailer: TWIG 2.7.6 In-Reply-To: <20060509145403.71699.qmail@web32413.mail.mud.yahoo.com> X-Remote-IP: 63.250.127.242 Message-Id: <20060509152507.0012017C007@www.istop.com> Cc: Subject: Re: System Intrustion Detection X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 15:25:14 -0000 M, There are several choices you can make to deal with this. First, be sure your root password is 'strong'. Generally 'strong' means that it is a combination of upper case, lower case, and numbers with a decent lenght. I personally go with at least 12 characters and throw in some punctuation as well. Also, don't use real words. Second, configure your ssh daemon to only support public key authentication (PubkeyAuthentication, RSAAuthentication). This means every user need to have a public/private key pair. One part stays on the server, the other goes to the remote system and is used to authenticate with the server. This also makes the password attacks you are seeing pretty useless. Third, if your users are all coming in from a relatively small list of IP addresses, you can consider using tcpwrappers (which should have been built in to your sshd daemon). This allows you to configure the sshd daemon to only allow access from a restricted set of ip addresses (or block a specific set of addresses). This method will also stop those messages from appearing in your mail once it is set up properly. I use all three techniques. Unfortunately, I have found that I have to pretty much exclude large parts of the world from accessing my ssh server for the third option to be effective and it is getting worse. I used to have to block only a hand full of countries but I'm now seeing attempts from several continents. "M. Goodell" said: > More and more each day I am seeing my root emails contain hundreds of entries like this: > > May 8 02:23:35 warpstone sshd[26092]: Failed password for root from 222.185.245.208 port 50519 ssh2 > May 8 16:37:41 warpstone ftpd[34713]: FTP LOGIN FAILED FROM 211.44.250.152, Administrator > > Basically, people are attemtpting to hack into my server often with a few thousands of attempts each day. What measures can I take to stop these attempts? Is there a way I can detect these attacks and automatically cut them off? Are any of the security ports effective against this? > > Thank you! > > M Goodell --