From owner-freebsd-stable@FreeBSD.ORG Thu Aug 21 20:19:58 2008 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 82B8E106566C for ; Thu, 21 Aug 2008 20:19:58 +0000 (UTC) (envelope-from ebutusov@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.171]) by mx1.freebsd.org (Postfix) with ESMTP id 0B30A8FC1F for ; Thu, 21 Aug 2008 20:19:57 +0000 (UTC) (envelope-from ebutusov@gmail.com) Received: by ug-out-1314.google.com with SMTP id o4so74263uge.39 for ; Thu, 21 Aug 2008 13:19:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=EDuOhvDUm+gZQaGvsDadUB4J98BJ2sp8S2PPO8moSY0=; b=HGCWiE0t4RZdWGzncpMk98VEni7lJbFJdPA+xiRa1bANEKVMHq3fVa7DXWxje5TjOC bLjg9ASyFt52/XVn3ujOxZXghTJypSifANWBh46xpspgpf2y9Cdf0zOozYQlAs6ujqE9 LJGOZby3aQXurpZBiprjVhktRB+ukpUA9tZqs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=tm1MnpScRYCsLaCsOuQ/zghqqJV91SLoQtSMBaa9Lm4m6a+aN0j933IJpTDQv4n6yD Pi6li69L3H7eMomVOyvI5ZMQlWEi7OhofChoTpo47ftf5lsY4s2sIKOasWB8hQXGYm6o Z0Mssr128tkm2GsHdPqcmSKdWL4MgkTF1ToNk= Received: by 10.210.16.17 with SMTP id 17mr287674ebp.38.1219349996538; Thu, 21 Aug 2008 13:19:56 -0700 (PDT) Received: from ?192.168.0.51? ( [195.136.67.137]) by mx.google.com with ESMTPS id d23sm1981707nfh.11.2008.08.21.13.19.55 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 21 Aug 2008 13:19:55 -0700 (PDT) Message-ID: <48ADCDAD.80507@gmail.com> Date: Thu, 21 Aug 2008 22:18:53 +0200 From: Eugene Butusov User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: Mikhail Teterin References: <48ADA81E.7090106@aldan.algebra.com> In-Reply-To: <48ADA81E.7090106@aldan.algebra.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, freebsd-stable@FreeBSD.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2008 20:19:58 -0000 Mikhail Teterin pisze: > Hello! > > A machine I manage remotely for a friend comes under a distributed ssh > break-in attack every once in a while. Annoyed (and alarmed) by the > messages like: > > Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180 > Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180 > Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180 > Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from 85.234.158.180 > > I wrote an awk-script, which adds a block of the attacking IP-address to > the ipfw-rules after three such "invalid user" attempts with: > > ipfw add 550 deny ip from ip > > The script is fed by syslogd directly -- through a syslog.conf rule > ("|/opt/sbin/auth-log-watch"). Hi, You should look at 'bruteblock' (ports/security), it has similar fuctionality. It also provides daemon process, bruteblockd, which is responsible for removing entries from ipfw table. Best regards, -- _/_/ .. Eugene Butusov _/_/ ... www.devilka.info _/_/ .... ebutusov(at)gmail(dot)com