From owner-freebsd-questions@FreeBSD.ORG Wed Apr 6 16:30:53 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74F2316A4CE for ; Wed, 6 Apr 2005 16:30:53 +0000 (GMT) Received: from wolf.pjkh.com (wolf.pjkh.com [66.228.196.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id F3A4543D1D for ; Wed, 6 Apr 2005 16:30:52 +0000 (GMT) (envelope-from freebsd@philip.pjkh.com) Received: from localhost (localhost [127.0.0.1]) by wolf.pjkh.com (Postfix) with ESMTP id 14DA0552B for ; Wed, 6 Apr 2005 09:30:49 -0700 (PDT) Received: from wolf.pjkh.com ([127.0.0.1]) by localhost (wolf.pjkh.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 44859-07 for ; Wed, 6 Apr 2005 09:30:48 -0700 (PDT) Received: by wolf.pjkh.com (Postfix, from userid 1000) id D18745529; Wed, 6 Apr 2005 09:30:48 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by wolf.pjkh.com (Postfix) with ESMTP id C8F2C54C0 for ; Wed, 6 Apr 2005 09:30:48 -0700 (PDT) Date: Wed, 6 Apr 2005 09:30:48 -0700 (PDT) From: Philip Hallstrom To: freebsd-questions@freebsd.org In-Reply-To: <200504060729.42571.krinklyfig@spymac.com> Message-ID: <20050406092757.V44943@wolf.pjkh.com> References: <36f5bbba050406001514562df7@mail.gmail.com> <4253B4CE.6070504@locolomo.org> <200504060729.42571.krinklyfig@spymac.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: by amavisd-new at pjkh.com Subject: Re: too many illegal connection attempts through ssh X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2005 16:30:53 -0000 >>>> shown below is snapshot of too many illegal attempts to login to >>>> my server from a suspicious hacker. this is taken from the >>>> "/var/log/auth.log". my question is, how do i automatically block >>>> an IP address if it is attempting to guess my login usernames? >>>> can i configure the firewall to check the instances a certain IP >>>> has attempted to access/ssh the sevrer, and if it has failed to >>>> login for about "x" number of attempts, it will be blocked >>>> automatically? >>> >>> This question is asked on the list ever so often - see the archives >>> for suggestions. These are automated attacks, they come regularly >>> as crackers, black hats or script kidies scan across the net. >> >> Does anybody know what robots beeing used? And on what systems? All >> you mention later in your posting is true of course and I needn't >> care about these logs, but it's like like somebody unknown puts 10 >> flyers in your letterbox every night. I'm sure, one night you'll hide >> and build a trap for that person. I'm too lazy to enter those >> net-circles for finding these robots, but maybe some other has >> already done that? I haven't done that, but if you don't like them you can block them fairly easily... I wrote a little script in PHP (not that it would be hard to re-write in perl or whatever) that watches /var/log/auth.log and if it sees an invalid login, it adds a firewall rule to block that IP. Then I've got a separate cronjob that removes those firewall rules a couple minutes later. Yes, I have locked myself out of my own server when I mistype my password, but I just wait a minute and it lets me back in. I thought about modifying it so instead of outright blocking it, it put it into a pipe that limited it's bandwidth to almost nil just to hold the thing up a bit, but this works for me.. http://www.pjkh.com/sshmonitor/ -philip