From owner-freebsd-questions@FreeBSD.ORG  Tue Jan 19 07:21:28 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id AFA871065672
	for <freebsd-questions@freebsd.org>;
	Tue, 19 Jan 2010 07:21:28 +0000 (UTC)
	(envelope-from norgaard@locolomo.org)
Received: from mail.locolomo.org (97.pool85-48-194.static.orange.es
	[85.48.194.97]) by mx1.freebsd.org (Postfix) with ESMTP id 6AC258FC1A
	for <freebsd-questions@freebsd.org>;
	Tue, 19 Jan 2010 07:21:28 +0000 (UTC)
Received: from beta.1-16-172-dyn.locolomo.org (unknown [172.16.1.127])
	by mail.locolomo.org (Postfix) with ESMTPSA id B28101C1A67;
	Tue, 19 Jan 2010 08:21:26 +0100 (CET)
Message-ID: <4B555D74.5060001@locolomo.org>
Date: Tue, 19 Jan 2010 08:21:24 +0100
From: Erik Norgaard <norgaard@locolomo.org>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: David Southwell <david@vizion2000.net>
References: <201001182239.20153.david@vizion2000.net>
In-Reply-To: <201001182239.20153.david@vizion2000.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Cc: freebsd-questions@freebsd.org
Subject: Re: /etc/hosts.deniedssh
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jan 2010 07:21:28 -0000

David Southwell wrote:
> Examples from hosts.deniedssh
> I seem to be on the receiving end of a concerted series of unsuccessful break 
> in attacks on one of our systems. One small part of the attack has  resulted 
> in over 2000 entries in our hosts.deniedssh file in less than 1 hour. 
> 
> I would be interested in any comments on the small example shown below and any 
> advice.

1. see thread from last week "denying spam hosts ssh access"
2. don't resolve ips
3. do a sort, you'll see that many come from the same network, possibly 
the same node with a new IP, block entire ranges, blocking individual 
ip's is futile.
4. consider blocking in your firewall
5. don't worry, unsuccesfull attacks are - well, unsuccesfull

BR, Erik

-- 
Erik Nørgaard
Ph: +34.666334818/+34.915211157                  http://www.locolomo.org