Date: Sat, 18 Sep 2004 13:30:22 -0400 From: "David D.W. Downey" <david.downey@gmail.com> To: Willem Jan Withagen <wjw@withagen.nl> Cc: "freebsd-security@FreeBSD.ORG" <freebsd-security@freebsd.org> Subject: Re: Attacks on ssh port Message-ID: <6917b781040918103077c76f0c@mail.gmail.com> In-Reply-To: <414C2798.7060509@withagen.nl> References: <414C2798.7060509@withagen.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 18 Sep 2004 14:18:32 +0200, Willem Jan Withagen <wjw@withagen.nl> wrote: > Hi, > > Is there a security problem with ssh that I've missed??? > Ik keep getting these hords of: > Failed password for root from 69.242.5.195 port 39239 ssh2 > with all kinds of different source addresses. > > They have a shot or 15 and then they are of again, but a little later on > they're back and keep clogging my logs. > Is there a "easy" way of getting these ip-numbers added to the > blocking-list of ipfw?? > > Thanx, > --WjW well you want to see those. So long as you have PermitRootLogin no in your /etc/ssh/sshd_config, they won't be able to get in since ssh is then denied for root (except via a valid ssh key which you can further lock down by adding from="ip.addr, forward.dns.record.of.host" to the beginning of your ssh-dsa or ssh-rsa key line in ~/.ssh/authorized_keys) A better solution to the verbosity level would probably be to change your kernel config to have something like options IPFIREWALL_VERBOSE_LIMIT=3 or using the sysctl.conf oid net.inet.ip.fw.verbose_limit=3 Then you can still see the attempts (and thus log the IP information for contacting the abuse@ for the responsible IP controller) while limiting your log sizes. -- David D.W. Downey
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6917b781040918103077c76f0c>