Date: Mon, 18 Oct 2004 16:00:50 +0900 From: Rob <spamrefuse@yahoo.com> To: Odhiambo Washington <wash@wananchi.com>, freebsd-questions@freebsd.org Subject: Re: Are these attempts by password crackers?? Message-ID: <41736A22.7000900@yahoo.com> In-Reply-To: <20041018055122.GB35360@ns2.wananchi.com> References: <20041018055122.GB35360@ns2.wananchi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Odhiambo Washington wrote:
> Hello users.
> I run several 5.2.1 boxes (in production).
>
> For weeks now, I have seen alot of notifications from periodic/daily
> with the output below and I have questions:
>
>
> 1. Is this some virus or some crackers playing around?
> 2. Why only on 5.2.1 systems and not on any of the 4.10 boxes that I
> also run?
> 3. Am I supposed to be worried at all? Well, I am not ;)
> I hate the messages though and there must be something here that I
> need to do.
>
>
> <cut>
>
> Oct 17 10:44:10 gw sshd[4170]: Failed password for nobody from 210.80.96.185 port 52215 ssh2
> Oct 17 10:44:19 gw sshd[4172]: Failed password for patrick from 210.80.96.185 port 52337 ssh2
These attackers seem to always poke at port 22 for ssh holes.
I have three ways to prevent access, from easy to more difficult setup:
1. restrict sshd access in /etc/hosts.allow, by an entry like
sshd : 225.50.0.0/255.255.0.0 : allow
[...whatever access restrictions to other services...]
ALL : ALL : deny
where 225.50.0.0/255.255.0.0 is an example of the sub-network your on.
Only IPs from this network can access your PC via ssh.
2. shift your sshd access to another port, by modifing /etc/rc.conf
sshd_flags="-p 4321"
but then users should be informed to do "ssh -p 4321 ...." instead.
Note: 4321 is just an example; choose your own number > 1024 here.
3. Use a firewall, that allows access via port 22 only for restricted IPs,
but the other sshd port for the whole world.
Modify /etc/rc.conf:
sshd_flags="-p 22 -p 4321"
And for example with ipfw:
[...]
check-state
[...]
allow tcp from any to me 4321 in via rl0 setup
allow tcp from 225.50.0.0/16 to me ssh in via rl0 setup
(replace "rl0" by your own device).
I am using (3) and the sshd attacks have dropped to zero.
Rob.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41736A22.7000900>