From owner-freebsd-questions@FreeBSD.ORG Fri Jan 12 22:22:56 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AA9AD16A417 for ; Fri, 12 Jan 2007 22:22:56 +0000 (UTC) (envelope-from reko.turja@liukuma.net) Received: from www.liukuma.net (www.liukuma.net [62.220.235.15]) by mx1.freebsd.org (Postfix) with ESMTP id 6400F13C441 for ; Fri, 12 Jan 2007 22:22:56 +0000 (UTC) (envelope-from reko.turja@liukuma.net) Received: from rivendell (c-980471d5.019-61-68617010.cust.bredbandsbolaget.se [213.113.4.152]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by www.liukuma.net (Postfix) with ESMTP id 76CC9555C; Fri, 12 Jan 2007 23:54:23 +0200 (EET) Message-ID: <01f401c73694$417d7830$0a0aa8c0@rivendell> From: "Reko Turja" To: "VeeJay" , "FreeBSD-Questions" References: <2cd0a0da0701121343g7fa2535fv4a7b201f5a03aff2@mail.gmail.com> Date: Fri, 12 Jan 2007 23:54:37 +0200 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3028 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 Cc: Subject: Re: Please Help! How to STOP them... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jan 2007 22:22:56 -0000 From: "VeeJay" To: ; "FreeBSD-Questions" Sent: Friday, January 12, 2007 11:43 PM Subject: Please Help! How to STOP them... >I am reading many hundred lines similar to below mentioned? > > Could you please advise me what to do and how can I make my box more > secure? > > Jan 9 17:54:42 localhost sshd[5130]: reverse mapping checking > getaddrinfo > for bbs-83-179.189.218.on-nets.com [218.189.179.83] failed - > POSSIBLE > BREAK-IN ATTEMPT! > Jan 9 17:54:42 localhost sshd[5130]: Invalid user sysadmin from > 218.189.179.83 It's basically just script kiddies trying to get in using some ready made user/password pairs. Lots of info covering this has been posted in these newsgroups previously, but some things you might consider Moving your sshd port somewhere else than 22 - the prepackaged "cracking" programs don't scan ports, just blindly try out the default port - with determined/skilled attacker it's different matter entirely though. Use some kind of portblocker (lots in ports tree) which closes the port after predetermined number of attempts - or as an alternative, use PF to close the port for IP's in question after predetermined number of connection attempts in given time. Use key based authentication and stop using passwords altogether. Remember to keep ssh1 disabled as well as direct root access into ssh from the ssh config file. -Reko