Date: Wed, 8 Sep 2004 14:59:40 +1200 From: Jonathan Chen <jonc@chen.org.nz> To: Mike Galvez <hoosyerdaddy@virginia.edu> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Tar pitting automated attacks Message-ID: <20040908025940.GA12835@grimoire.chen.org.nz> In-Reply-To: <20040907134216.GB14884@humpty.finadmin.virginia.edu> References: <20040907134216.GB14884@humpty.finadmin.virginia.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 07, 2004 at 09:42:16AM -0400, Mike Galvez wrote:
> I am seeing a lot of automated attacks lately against sshd such as:
>
[...]
> Sep 6 12:16:39 www sshd[29901]: Failed password for illegal user server from 159.134.244.189 port 4044 ssh2
> Sep 6 12:16:41 www sshd[29902]: Failed password for illegal user adam from 159.134.244.189 port 4072 ssh2
> Sep 6 12:16:42 www sshd[29903]: Failed password for illegal user alan from 159.134.244.189 port 4104 ssh2
> Sep 6 12:16:43 www sshd[29904]: Failed password for illegal user frank from 159.134.244.189 port 4131 ssh2
> Sep 6 12:16:44 www sshd[29905]: Failed password for illegal user george from 159.134.244.189 port 4152 ssh2
> Sep 6 12:16:45 www sshd[29906]: Failed password for illegal user henry from 159.134.244.189 port 4175 ssh2
> -- snip --
> Some of these go on until they turn the logs over.
>
> Is there a method to make this more expensive to the attacker, such as tar-pitting?
Put in a ipfw block on the netblock/country. At the very least it will
make it pretty slow for the initial TCP handshake.
Cheers.
--
Jonathan Chen <jonc@chen.org.nz>
----------------------------------------------------------------------
Vini, vidi, velcro...
I came, I saw, I stuck around
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040908025940.GA12835>