From owner-freebsd-stable@FreeBSD.ORG Sat Dec 23 03:18:42 2006 Return-Path: X-Original-To: freebsd-stable@FreeBSD.ORG Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3D9EC16A40F for ; Sat, 23 Dec 2006 03:18:42 +0000 (UTC) (envelope-from michael@ircgnet.net) Received: from ws6-8.us4.outblaze.com (ws6-8.us4.outblaze.com [205.158.62.24]) by mx1.freebsd.org (Postfix) with SMTP id 145E513C448 for ; Sat, 23 Dec 2006 03:18:42 +0000 (UTC) (envelope-from michael@ircgnet.net) Received: (qmail 11140 invoked from network); 23 Dec 2006 02:52:01 -0000 Received: from unknown (HELO ?127.0.0.1?) (michael@ircgnet.net@67.168.235.146) by ws6-8.us4.outblaze.com with SMTP; 23 Dec 2006 02:52:01 -0000 Message-ID: <458C99E4.5090800@gmail.com> Date: Fri, 22 Dec 2006 18:52:20 -0800 From: Michael User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: freebsd-stable@FreeBSD.ORG, gmenhennitt@optusnet.com.au References: <200612220806.kBM86HgT035285@lurza.secnetix.de> In-Reply-To: <200612220806.kBM86HgT035285@lurza.secnetix.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: Block IP X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Dec 2006 03:18:42 -0000 I can tell you what I do about these, which may not suit your situation especially if this is on a high profile server, but if you are just running FreeBSD for your own purposes I found this to be a great tool. It's called BlockHosts and can be found here http://www.aczoom.com/cms/blockhosts/ If you are on a high profile server however I wouldn't recommend this because your hosts.allow file will fill up, otherwise you may want to check it out. Take care, Michael Oliver Fromme wrote: > Graham Menhennitt wrote: > > Christopher Hilton wrote: > > > If it's at all possible switch to using public keys for authentication > > > with ssh and disallow password authentication. This completely stops > > > the brute forcing attacks from filling up your periodic security mail. > > Are you sure about that? I only allow PublickeyAuthentication ssh2 > > connections but I get lots of security mail messages like: > > > > Nov 16 01:44:08 maxwell sshd[70067]: Invalid user marcos from 202.54.49.7 > > Nov 16 01:44:23 maxwell sshd[70067]: reverse mapping checking getaddrinfo for 49-7.broadband.vsnl.net.in failed - POSSIBLE BREAKIN ATTEMPT! > > Those are caused by different things. They're not caused > by wrong passwords, but by an illegal user name (first line) > or by non-matching reverse DNS (second line). These things > are checked even bevore any user keys are exchanged, so the > authentication method doesn't matter. > > They can be savely ignored, because you're immune to brute- > force attacks. If you don't want to see them, a simple > "egrep -v ..." in /etc/periodic/security/800.loginfail will > do. > > Best regards > Oliver > >