From owner-freebsd-stable@FreeBSD.ORG Sat Dec 23 07:19:54 2006 Return-Path: X-Original-To: freebsd-stable@FreeBSD.ORG Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 45F3B16A40F for ; Sat, 23 Dec 2006 07:19:54 +0000 (UTC) (envelope-from security@jim-liesl.org) Received: from qsmtp1.mc.surewest.net (qsmtp.mc.surewest.net [66.60.130.145]) by mx1.freebsd.org (Postfix) with SMTP id 27EB213C44B for ; Sat, 23 Dec 2006 07:19:53 +0000 (UTC) (envelope-from security@jim-liesl.org) Received: (qmail 3687 invoked from network); 22 Dec 2006 22:53:05 -0800 Received: by simscan 1.1.0 ppid: 3628, pid: 3659, t: 4.6026s scanners: regex: 1.1.0 attach: 1.1.0 clamav: 0.84/m:41/d:2269 spam: 3.0.3 Received: from unknown (HELO daemon.jim-liesl.org) (66.60.173.44) by qsmtp1 with SMTP; 22 Dec 2006 22:53:01 -0800 Received: from daemon.jim-liesl.org (localhost [127.0.0.1]) by daemon.jim-liesl.org (Postfix) with ESMTP id 55B3D6141; Fri, 22 Dec 2006 22:59:57 -0800 (PST) Received: from [192.168.1.105] (emperor.jim-liesl.org [192.168.1.105]) by daemon.jim-liesl.org (Postfix) with ESMTP id 1AA8260D2; Fri, 22 Dec 2006 22:59:57 -0800 (PST) Message-ID: <458CD257.7060603@jim-liesl.org> Date: Fri, 22 Dec 2006 22:53:11 -0800 From: security User-Agent: Thunderbird 1.5.0.8 (X11/20061115) MIME-Version: 1.0 To: freebsd-stable@FreeBSD.ORG, gmenhennitt@optusnet.com.au References: <200612220806.kBM86HgT035285@lurza.secnetix.de> In-Reply-To: <200612220806.kBM86HgT035285@lurza.secnetix.de> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on qsmtp1.surewest.net X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.0.3 Cc: Subject: Re: Block IP X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Dec 2006 07:19:54 -0000 Oliver Fromme wrote: > Graham Menhennitt wrote: > > Christopher Hilton wrote: > > > If it's at all possible switch to using public keys for authentication > > > with ssh and disallow password authentication. This completely stops > > > the brute forcing attacks from filling up your periodic security mail. > > Are you sure about that? I only allow PublickeyAuthentication ssh2 > > connections but I get lots of security mail messages like: > > > > Nov 16 01:44:08 maxwell sshd[70067]: Invalid user marcos from 202.54.49.7 > > Nov 16 01:44:23 maxwell sshd[70067]: reverse mapping checking getaddrinfo for 49-7.broadband.vsnl.net.in failed - POSSIBLE BREAKIN ATTEMPT! > > Those are caused by different things. They're not caused > by wrong passwords, but by an illegal user name (first line) > or by non-matching reverse DNS (second line). These things > are checked even bevore any user keys are exchanged, so the > authentication method doesn't matter. > > They can be savely ignored, because you're immune to brute- > force attacks. If you don't want to see them, a simple > "egrep -v ..." in /etc/periodic/security/800.loginfail will > do. > > Best regards > Oliver > > I can't remember but has anyone mentioned "blocksshd"? it's in ports/security. I still prefer locking down to public key only, but blocksshd is nice.