From owner-freebsd-questions@FreeBSD.ORG  Wed Sep  8 12:37:08 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C3DF116A4CE
	for <freebsd-questions@freebsd.org>;
	Wed,  8 Sep 2004 12:37:08 +0000 (GMT)
Received: from makeworld.com (makeworld.com [198.92.228.38])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5020C43D45
	for <freebsd-questions@freebsd.org>;
	Wed,  8 Sep 2004 12:37:08 +0000 (GMT)
	(envelope-from racerx@makeworld.com)
Received: from localhost (localhost.com [127.0.0.1])
	by makeworld.com (Postfix) with ESMTP id B878E6370;
	Wed,  8 Sep 2004 07:37:07 -0500 (CDT)
Received: from makeworld.com ([127.0.0.1])
 by localhost (makeworld.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
 id 89052-04; Wed,  8 Sep 2004 07:37:04 -0500 (CDT)
Received: from [198.92.228.34] (racerx.makeworld.com [198.92.228.34])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by makeworld.com (Postfix) with ESMTP id E3BAA6348;
	Wed,  8 Sep 2004 07:36:49 -0500 (CDT)
Message-ID: <413EFCDD.9030703@makeworld.com>
Date: Wed, 08 Sep 2004 07:36:45 -0500
From: Chris <racerx@makeworld.com>
User-Agent: Mozilla Thunderbird 0.7.3 (X11/20040903)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: John Mills <john.m.mills@alum.mit.edu>
References: <Pine.LNX.4.44.0409080728520.5289-100000@otter.localdomain>
In-Reply-To: <Pine.LNX.4.44.0409080728520.5289-100000@otter.localdomain>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: by amavisd-new at makeworld.com - Isn't it ironic
cc: FreeBSD-questions <freebsd-questions@freebsd.org>
cc: Jonathan Chen <jonc@chen.org.nz>
cc: Mike Galvez <hoosyerdaddy@virginia.edu>
Subject: Re: Tar pitting automated attacks
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Sep 2004 12:37:08 -0000

John Mills wrote:
> Ahh -
> 
> Exactly the scenario here, except the names were different (but similar) 
> and the source IP was: 64.124.210.23
> 
> Thanks.
> 
> On Wed, 8 Sep 2004, Jonathan Chen wrote:
> 
> 
>>On Tue, Sep 07, 2004 at 09:42:16AM -0400, Mike Galvez wrote:
>>
>>>I am seeing a lot of automated attacks lately against sshd such as:
>>>
>>
>>[...]
> 
>  > > Sep  6 12:16:39 www sshd[29901]: Failed password for illegal user 
> server from 159.134.244.189 port 4044 ssh2
>  > > Sep  6 12:16:41 www sshd[29902]: Failed password for illegal user 
> adam from 159.134.244.189 port 4072 ssh2
>  ... etc
> 
> 
>>>Is there a method to make this more expensive to the attacker, such as
>>>tar-pitting?
> 
> 
>>Put in a ipfw block on the netblock/country. At the very least it will
>>make it pretty slow for the initial TCP handshake.
> 
> 
>  - John Mills
>    john.m.mills@alum.mit.edu

I really wish people would stop top posting.

-- 
Best regards,
Chris

Flynn is dead
Tron is dead
long live the MCP.