Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 24 Aug 2005 11:18:50 -0700
From:      "Chris St Denis" <chris@aebc.com>
To:        "'Pat Maddox'" <pergesu@gmail.com>, "'FreeBSD Questions'" <freebsd-questions@freebsd.org>
Subject:   RE: Illegal access attempt - FreeBSD 5.4 Release - please advise
Message-ID:  <200508241119671.SM00756@chris>
In-Reply-To: <810a540e0508232127737d91fb@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
How can I easily auto deny after x failed attempts? Is this an sshd setting?
I could find it.

Is there something in ports that will firewall off somebody who is brute
forcing?

-----Original Message-----
From: owner-freebsd-questions@freebsd.org
[mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Pat Maddox
Sent: Tuesday, August 23, 2005 9:27 PM
To: FreeBSD Questions
Subject: Re: Illegal access attempt - FreeBSD 5.4 Release - please advise

It's not that big of a deal...they didn't get in or anything.  If
you've got a server that's always connected to the internet, you'll
see people trying to break in all the time.  The more popular your
server, the more frequent the attempts.  This is just someone trying
to log in via SSH - so as long as you have good passwords on all your
accounts, and disable remote root login, you're fine.

You may consider denying access after X failed login attempts.


On 8/23/05, ro ro <ricking505@yahoo.com> wrote:
> Hi All,
> 
> I was browsing through my log files and noticed that
> someone (or many people) is trying to gain illegal
> access to my server (see snippet from log files
> below).
> 
> The below log file clearly indicates someone trying to
> hackaway at my personal server.
> 
> I performed the following steps:
> 
> nmap -v  210.0.142.153
> 
> and noticed that this person/institution had port 80
> and 21 open.
> 
> I visited their website and it appears to be someone
> from hongkong.
> http://www.chkpcc.edu.hk/
> 
> HERE IS THEIR CONTACT INFORMATION AS IT APPEARS ON
> THEIR WEBSITE
> -------------------------------------------------------------
> Confucian Ho Kwok Pui Chun College $B9&(B $B65(B
> $BU\(B $B1!(B $B2?(B $B3T(B $BPP(B $BDA(B
> $BCf(B $BU\(B
> Address $BCOT.!'(B Fu Shin Est., Taipo,
> N.T., HKSAR
> $B9a9A?73&BgT>IYA1B<(B
> Tel $BEEOC!'(B 852-2666-5926
> Fax $BQ#??!'(B 852-2660-7988
> E-mail $BEEM9!'(B info@chkpcc.edu.hk
> -------------------------------------------------------------
> 
> 
> When I saw the logs for the first time. I took the
> following steps:
> 1) AllowUsers in sshd contained only users that I
> wanted to have access to my ssh
> 2) Created a decent rulest within ipfw that permitted
> incoming access to only two ports ssh and http
> 
> I took the issue of creating a good firewall quite
> lightly and now I regret that decision.. now I have
> learnt... Can someone provide me with guidance on this
> issue and advise me on next steps to take action
> against such losers.
> 
> Thanks
> RV
> 
> Aug 23 08:19:03 free sshd[22519]: Illegal user lp from
> 210.0.142.153
> Aug 23 08:19:06 free sshd[22521]: Illegal user admin
> from 210.0.142.153
> Aug 23 08:19:08 free sshd[22523]: Illegal user admin
> from 210.0.142.153
> Aug 23 08:19:10 free sshd[22525]: Illegal user admin
> from 210.0.142.153
> Aug 23 08:19:12 free sshd[22527]: Illegal user admin
> from 210.0.142.153
> Aug 23 08:19:15 free sshd[22529]: Illegal user admin
> from 210.0.142.153
> Aug 23 08:19:17 free sshd[22531]: Illegal user admin
> from 210.0.142.153
> Aug 23 08:19:19 free sshd[22533]: Illegal user admin
> from 210.0.142.153
> Aug 23 08:19:22 free sshd[22535]: User root not
> allowed because not listed in AllowUsers
> Aug 23 08:19:24 free sshd[22537]: User root not
> allowed because not listed in AllowUsers
> Aug 23 08:19:27 free sshd[22539]: User root not
> allowed because not listed in AllowUsers
> Aug 23 08:19:29 free sshd[22541]: User root not
> allowed because not listed in AllowUsers
> Aug 23 08:19:33 free sshd[22543]: User root not
> allowed because not listed in AllowUsers
> Aug 23 08:19:35 free sshd[22545]: User root not
> allowed because not listed in AllowUsers
> Aug 23 08:19:37 free sshd[22547]: Illegal user apache
> from 210.0.142.153
> Aug 23 08:19:40 free sshd[22549]: Illegal user dan
> from 210.0.142.153
> Aug 23 08:19:42 free sshd[22551]: Illegal user electra
> from 210.0.142.153
> Aug 23 08:19:44 free sshd[22553]: Illegal user student
> from 210.0.142.153
> Aug 23 08:19:47 free sshd[22555]: Illegal user school
> from 210.0.142.153
> Aug 23 08:19:49 free sshd[22557]: User mysql not
> allowed because not listed in AllowUsers
> 
> 
> Aug 11 20:16:10 free sshd[21585]: Illegal user test
> from 210.245.197.16
> Aug 11 20:16:12 free sshd[21587]: Illegal user guest
> from 210.245.197.16
> Aug 11 20:16:14 free sshd[21589]: Illegal user admin
> from 210.245.197.16
> Aug 11 20:16:16 free sshd[21591]: Illegal user admin
> from 210.245.197.16
> Aug 11 20:16:23 free sshd[21593]: Illegal user user
> from 210.245.197.16
> Aug 11 20:16:32 free sshd[21601]: Illegal user test
> from 210.245.197.16
> 
> Aug 14 03:39:21 free sshd[32377]: Illegal user 1 from
> 61.145.222.10
> Aug 14 03:39:26 free sshd[32379]: Illegal user a from
> 61.145.222.10
> Aug 14 03:39:31 free sshd[32381]: Illegal user a from
> 61.145.222.10
> Aug 14 03:39:38 free sshd[32383]: Illegal user abuse
> from 61.145.222.10
> Aug 14 10:47:49 free sshd[33623]: Illegal user admin
> from 64.222.146.197
> Aug 14 10:47:51 free sshd[33625]: Illegal user
> administrator from 64.222.146.197
> Aug 14 10:47:52 free sshd[33627]: Illegal user jack
> from 64.222.146.197
> Aug 14 10:47:53 free sshd[33629]: Illegal user marvin
> from 64.222.146.197
> Aug 14 10:47:58 free sshd[33631]: Illegal user andres
> from 64.222.146.197
> Aug 14 10:47:59 free sshd[33633]: Illegal user barbara
> from 64.222.146.197
> Aug 14 10:48:01 free sshd[33635]: Illegal user adine
> from 64.222.146.197
> Aug 14 10:48:02 free sshd[33637]: Illegal user test
> from 64.222.146.197
> Aug 14 10:48:04 free sshd[33639]: Illegal user guest
> from 64.222.146.197
> Aug 14 10:48:07 free sshd[33641]: Illegal user db from
> 64.222.146.197
> 
> Aug 23 08:18:40 free sshd[22499]: Illegal user demo
> from 210.0.142.153
> Aug 23 08:18:43 free sshd[22501]: Illegal user
> postgres from 210.0.142.153
> Aug 23 08:18:45 free sshd[22503]: Illegal user
> postmaster from 210.0.142.153
> Aug 23 08:18:47 free sshd[22505]: Illegal user
> postgres from 210.0.142.153
> Aug 23 08:18:49 free sshd[22507]: Illegal user
> postgres from 210.0.142.153
> Aug 23 08:18:52 free sshd[22509]: Illegal user ftp
> from 210.0.142.153
> Aug 23 08:18:54 free sshd[22511]: User news not
> allowed because not listed in AllowUsers
> Aug 23 08:18:56 free sshd[22513]: Illegal user demo
> from 210.0.142.153
> Aug 23 08:18:58 free sshd[22515]: Illegal user
> demouser from 210.0.142.153
> Aug 23 08:19:01 free sshd[22517]: User sshd not
> allowed because not listed in AllowUsers
> 
> 
> 
> 
> 
> 
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
"freebsd-questions-unsubscribe@freebsd.org"
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200508241119671.SM00756>