From owner-freebsd-questions@FreeBSD.ORG Tue Jan 24 21:02:45 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 07BAF16A41F for ; Tue, 24 Jan 2006 21:02:45 +0000 (GMT) (envelope-from isachpaz@igd.fhg.de) Received: from mailgate2.igd.fraunhofer.de (mailgate2.igd.fraunhofer.de [192.44.32.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 238D743D72 for ; Tue, 24 Jan 2006 21:02:36 +0000 (GMT) (envelope-from isachpaz@igd.fhg.de) Received: from localhost (localhost [127.0.0.1]) by mailgate2.igd.fraunhofer.de (Postfix) with ESMTP id 226132986B for ; Tue, 24 Jan 2006 22:02:34 +0100 (CET) Received: from hermes (C55fa.c.strato-dslnet.de [62.104.85.250]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mailgate2.igd.fraunhofer.de (Postfix) with ESMTP id 811A1258B1 for ; Tue, 24 Jan 2006 22:02:25 +0100 (CET) From: "Ilias Sachpazidis" To: Date: Tue, 24 Jan 2006 22:02:26 +0100 Organization: Fraunhofer IGD Message-ID: <002401c62129$7c138e70$050a0a0a@hermes> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 Thread-Index: AcYhG1iLGnm63uZrRoeG9MsCNzMmSgACjtVQ In-Reply-To: <43D67DC9.5030509@infracaninophile.co.uk> X-Virus-Scanned: by amavisd-new at mailgate2.igd.fraunhofer.de Subject: auth.log & intruder prevention X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Ilias.Sachpazidis@igd.fraunhofer.de List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Jan 2006 21:02:45 -0000 Hi Everyone, In auth.log of my FreeBSD boxes I got many requests to port 22, as you can see below. ----begin of snippet Jan 22 11:21:50 zeus sshd[92900]: Failed password for illegal user cracking from 65.208.188.105 port 58344 ssh2 Jan 22 11:21:53 zeus sshd[92902]: Failed password for illegal user hacking from 65.208.188.105 port 58443 ssh2 Jan 22 11:21:55 zeus sshd[92904]: Failed password for illegal user lol from 65.208.188.105 port 58543 ssh2 Jan 22 11:21:57 zeus sshd[92906]: Failed password for illegal user pgl from 65.208.188.105 port 58640 ssh2 Jan 22 11:22:00 zeus sshd[92908]: Failed password for illegal user player from 65.208.188.105 port 58741 ssh2 Jan 22 11:22:02 zeus sshd[92910]: Failed password for illegal user root4me from 65.208.188.105 port 58842 ssh2 ----end of snippet I am wondering if any script is available to prevent hundreds of attempts on port 22 from external IPs that constantly checking user & passwords on my FreeBSD PCs. What I am looking for is a deamon application/script that receives the recorded data from auth.log and detects if any remote client (IP address) is checking user and passwords (Detection pattern: 5 missing attempts in 1 min). On a successful detection, the script should add an ipfw rule rejecting further IP packets from the specific remote address. Is any script or something similar available so far? All the best, Ilias