Date: Fri, 9 Oct 2009 16:53:10 -0500 From: "Gary Gatten" <Ggatten@waddell.com> To: "Adam Vande More" <amvandemore@gmail.com>, "Aflatoon Aflatooni" <aaflatooni@yahoo.com> Cc: freebsd-questions@freebsd.org Subject: RE: Security blocking question Message-ID: <20742_1255125211_4ACFB0DB_20742_1553_2_70C0964126D66F458E688618E1CD008A08CCED3B@WADPEXV0.waddell.com> In-Reply-To: <6201873e0910091448h46c13ce4h2e9df8920a8fe27a@mail.gmail.com> References: <526808.11391.qm@web56207.mail.re3.yahoo.com> <6201873e0910091448h46c13ce4h2e9df8920a8fe27a@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I might also add, if it's only a handful that have legitimate access requirements, maybe black hole all ip's from locations (countries, etc.) they'll never be in. We see a lot of bad traffic from well, certain countries and we simply null route them. Or if I feel like playing a bit I'll route them to a tar-pit and honey pot just to see what they do. Pretty entertaining sometimes! :) -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Adam Vande More Sent: Friday, October 09, 2009 4:48 PM To: Aflatoon Aflatooni Cc: freebsd-questions@freebsd.org Subject: Re: Security blocking question On Fri, Oct 9, 2009 at 4:45 PM, Aflatoon Aflatooni <aaflatooni@yahoo.com>wrote: > Hi, > The production server that has a public IP address has SSH enabled. This > server is continuously under dictionary attack: > Oct 8 12:58:40 seven sshd[32248]: Invalid user europa from 83.65.199.91 > Oct 8 12:58:40 seven sshd[32250]: Invalid user hacked from 83.65.199.91 > Oct 8 12:58:40 seven sshd[32251]: Invalid user cop\r from 83.65.199.91 > Oct 8 12:58:41 seven sshd[32254]: Invalid user gel from 83.65.199.91 > Oct 8 12:58:41 seven sshd[32255]: Invalid user dork from 83.65.199.91 > Oct 8 12:58:41 seven sshd[32258]: Invalid user eva from 83.65.199.91 > Oct 8 12:58:41 seven sshd[32260]: Invalid user hacker from 83.65.199.91 > Oct 8 12:58:41 seven sshd[32261]: Invalid user copila\r from 83.65.199.91 > Oct 8 12:58:42 seven sshd[32265]: Invalid user dorna from 83.65.199.91 > Oct 8 12:58:42 seven sshd[32264]: Invalid user gelo from 83.65.199.91 > Oct 8 12:58:42 seven sshd[32268]: Invalid user evara from 83.65.199.91 > Oct 8 12:58:43 seven sshd[32270]: Invalid user hack from 83.65.199.91 > Oct 8 12:58:43 seven sshd[32271]: Invalid user copil\r from 83.65.199.91 > Oct 8 12:58:43 seven sshd[32274]: Invalid user Doubled from 83.65.199.91 > Oct 8 12:58:43 seven sshd[32275]: Invalid user gelos from 83.65.199.91 > Oct 8 12:58:44 seven sshd[32278]: Invalid user eve from 83.65.199.91 > > Is there a way that I could configure the server so that if there are for > example X attempts from an IP address then for the next Y hours all the SSH > requests would be ignored from that IP address? > There are only a handful of people who have access to that server. > > Thanks > > /usr/ports/security/denyhosts --=20 Adam Vande More _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" <font size=3D"1"> <div style=3D'border:none;border-bottom:double windowtext 2.25pt;padding:0i= n 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20742_1255125211_4ACFB0DB_20742_1553_2_70C0964126D66F458E688618E1CD008A08CCED3B>