From owner-freebsd-questions@FreeBSD.ORG Tue Sep 7 13:43:24 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 27AEC16A4CE for ; Tue, 7 Sep 2004 13:43:24 +0000 (GMT) Received: from humpty.finadmin.virginia.edu (humpty.finadmin.Virginia.EDU [128.143.87.245]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9F67843D1F for ; Tue, 7 Sep 2004 13:43:23 +0000 (GMT) (envelope-from mrg8n@virginia.edu) Received: from humpty.finadmin.virginia.edu (localhost.finadmin.virginia.edu [127.0.0.1])i87DgGxk015106 for ; Tue, 7 Sep 2004 09:42:16 -0400 (EDT) (envelope-from mrg8n@humpty.finadmin.virginia.edu) Received: (from mrg8n@localhost)i87DgGNb015105 for freebsd-questions@FreeBSD.ORG; Tue, 7 Sep 2004 09:42:16 -0400 (EDT) Date: Tue, 7 Sep 2004 09:42:16 -0400 From: Mike Galvez To: freebsd-questions@FreeBSD.ORG Message-ID: <20040907134216.GB14884@humpty.finadmin.virginia.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-Operating-System: FreeBSD UNIX Subject: Tar pitting automated attacks X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Sep 2004 13:43:24 -0000 I am seeing a lot of automated attacks lately against sshd such as: Sep 6 12:16:24 www sshd[29888]: Failed password for root from 159.134.244.189 port 3723 ssh2 Sep 6 12:16:25 www sshd[29889]: Failed password for illegal user webmaster from 159.134.244.189 port 3749 ssh2 Sep 6 12:16:26 www sshd[29890]: Failed password for illegal user data from 159.134.244.189 port 3771 ssh2 Sep 6 12:16:27 www sshd[29891]: Failed password for illegal user user from 159.134.244.189 port 3800 ssh2 Sep 6 12:16:28 www sshd[29892]: Failed password for illegal user user from 159.134.244.189 port 3824 ssh2 Sep 6 12:16:29 www sshd[29893]: Failed password for illegal user user from 159.134.244.189 port 3847 ssh2 Sep 6 12:16:31 www sshd[29894]: Failed password for illegal user web from 159.134.244.189 port 3872 ssh2 Sep 6 12:16:32 www sshd[29895]: Failed password for illegal user web from 159.134.244.189 port 3893 ssh2 Sep 6 12:16:33 www sshd[29896]: Failed password for illegal user oracle from 159.134.244.189 port 3918 ssh2 Sep 6 12:16:34 www sshd[29897]: Failed password for illegal user sybase from 159.134.244.189 port 3938 ssh2 Sep 6 12:16:36 www sshd[29898]: Failed password for illegal user master from 159.134.244.189 port 3976 ssh2 Sep 6 12:16:37 www sshd[29899]: Failed password for illegal user account from 159.134.244.189 port 4006 ssh2 Sep 6 12:16:38 www sshd[29900]: Failed password for illegal user backup from 159.134.244.189 port 4022 ssh2 Sep 6 12:16:39 www sshd[29901]: Failed password for illegal user server from 159.134.244.189 port 4044 ssh2 Sep 6 12:16:41 www sshd[29902]: Failed password for illegal user adam from 159.134.244.189 port 4072 ssh2 Sep 6 12:16:42 www sshd[29903]: Failed password for illegal user alan from 159.134.244.189 port 4104 ssh2 Sep 6 12:16:43 www sshd[29904]: Failed password for illegal user frank from 159.134.244.189 port 4131 ssh2 Sep 6 12:16:44 www sshd[29905]: Failed password for illegal user george from 159.134.244.189 port 4152 ssh2 Sep 6 12:16:45 www sshd[29906]: Failed password for illegal user henry from 159.134.244.189 port 4175 ssh2 -- snip -- Some of these go on until they turn the logs over. Is there a method to make this more expensive to the attacker, such as tar-pitting? Thanks -Mike -- Mike Galvez Information Technology Specialist E-Mail: mrg8n AT virginia.edu