Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 02 Jan 2007 15:23:44 +0100
From:      Per olof Ljungmark <peo@intersonic.se>
To:        Nathan Vidican <nvidican@wmptl.com>
Cc:        questions@freebsd.org
Subject:   Re: sshd break-in attempt
Message-ID:  <459A6AF0.30305@intersonic.se>
In-Reply-To: <459A5A45.4080309@wmptl.com>
References:  <459A5A45.4080309@wmptl.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Nathan Vidican wrote:
> We keep getting attempts from what look like a username/password scanner 
> utility to login to our servers externally via sshd. Thankfully, we're 
> not ignorant enough to leave common account names open, however it is 
> annoying to say the least. We're getting things like this:
> 
> Jan  1 09:07:34 fw sshd[66547]: Invalid user staff from 208.44.210.15
> Jan  1 09:07:35 fw sshd[66549]: Invalid user sales from 208.44.210.15
> Jan  1 09:07:36 fw sshd[66551]: Invalid user recruit from 208.44.210.15
> Jan  1 09:07:37 fw sshd[66553]: Invalid user alias from 208.44.210.15
> Jan  1 09:07:38 fw sshd[66555]: Invalid user office from 208.44.210.15
> Jan  1 09:07:38 fw sshd[66557]: Invalid user samba from 208.44.210.15
> Jan  1 09:07:39 fw sshd[66559]: Invalid user tomcat from 208.44.210.15
> Jan  1 09:07:40 fw sshd[66561]: Invalid user webadmin from 208.44.210.15
> Jan  1 09:07:41 fw sshd[66563]: Invalid user spam from 208.44.210.15
> Jan  1 09:07:42 fw sshd[66565]: Invalid user virus from 208.44.210.15
> Jan  1 09:07:43 fw sshd[66567]: Invalid user cyrus from 208.44.210.15
> Jan  1 09:07:43 fw sshd[66569]: Invalid user staff from 208.44.210.15
> Jan  1 09:07:44 fw sshd[66571]: Invalid user oracle from 208.44.210.15
> 
> In our 'periodic daily' report/email, (only the list goes on for 
> hundreds of attempts). Anyhow, long story short; is there not an easy 
> way to make sshd block or deny hosts temporarily if X number of invalid 
> login attempts are made within a minute's time? Must I use an external 
> wrapper to accomplish this, or can it be done with options to sshd on 
> it's own?

There are several ways to block the attacks, one pointed out by first 
respondent, we use Denyhosts and sshblock here.

Google should point you several others.
http://www.google.se/search?hl=en&q=ssh+attacks&btnG=Google+Search

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?459A6AF0.30305>