From owner-freebsd-questions@FreeBSD.ORG Fri Oct 9 21:53:47 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CDFC8106568B for ; Fri, 9 Oct 2009 21:53:47 +0000 (UTC) (envelope-from Ggatten@waddell.com) Received: from mailhost0.waddell.com (mailhost0.waddell.com [12.154.38.61]) by mx1.freebsd.org (Postfix) with ESMTP id 953678FC1D for ; Fri, 9 Oct 2009 21:53:47 +0000 (UTC) Received: from mailhost3.waddell.com (mailhost3.waddell.com [10.1.10.28]) by mailhost0.waddell.com (8.13.8/8.13.8) with ESMTP id n99LrVCb007484; Fri, 9 Oct 2009 16:53:31 -0500 (CDT) (envelope-from Ggatten@waddell.com) Received: from mailhost3.waddell.com (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 5DF133C32D; Fri, 9 Oct 2009 16:53:31 -0500 (CDT) Received: from wadpexf0.waddell.com (wadpexf0.waddell.com [192.168.204.24]) by mailhost3.waddell.com (Postfix) with ESMTP id 53C123BCA6; Fri, 9 Oct 2009 16:53:31 -0500 (CDT) Received: from WADPEXV0.waddell.com ([192.168.204.25]) by wadpexf0.waddell.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 9 Oct 2009 16:53:31 -0500 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Fri, 9 Oct 2009 16:53:10 -0500 Message-ID: <20742_1255125211_4ACFB0DB_20742_1553_2_70C0964126D66F458E688618E1CD008A08CCED3B@WADPEXV0.waddell.com> In-Reply-To: <6201873e0910091448h46c13ce4h2e9df8920a8fe27a@mail.gmail.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Security blocking question Thread-Index: AcpJKj9RxjEiHyGZRYe25cyJXfAO6wAADFRA References: <526808.11391.qm@web56207.mail.re3.yahoo.com> <6201873e0910091448h46c13ce4h2e9df8920a8fe27a@mail.gmail.com> From: "Gary Gatten" To: "Adam Vande More" , "Aflatoon Aflatooni" X-OriginalArrivalTime: 09 Oct 2009 21:53:31.0221 (UTC) FILETIME=[F0E0F850:01CA492A] Cc: freebsd-questions@freebsd.org Subject: RE: Security blocking question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Oct 2009 21:53:48 -0000 I might also add, if it's only a handful that have legitimate access requirements, maybe black hole all ip's from locations (countries, etc.) they'll never be in. We see a lot of bad traffic from well, certain countries and we simply null route them. Or if I feel like playing a bit I'll route them to a tar-pit and honey pot just to see what they do. Pretty entertaining sometimes! :) -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Adam Vande More Sent: Friday, October 09, 2009 4:48 PM To: Aflatoon Aflatooni Cc: freebsd-questions@freebsd.org Subject: Re: Security blocking question On Fri, Oct 9, 2009 at 4:45 PM, Aflatoon Aflatooni wrote: > Hi, > The production server that has a public IP address has SSH enabled. This > server is continuously under dictionary attack: > Oct 8 12:58:40 seven sshd[32248]: Invalid user europa from 83.65.199.91 > Oct 8 12:58:40 seven sshd[32250]: Invalid user hacked from 83.65.199.91 > Oct 8 12:58:40 seven sshd[32251]: Invalid user cop\r from 83.65.199.91 > Oct 8 12:58:41 seven sshd[32254]: Invalid user gel from 83.65.199.91 > Oct 8 12:58:41 seven sshd[32255]: Invalid user dork from 83.65.199.91 > Oct 8 12:58:41 seven sshd[32258]: Invalid user eva from 83.65.199.91 > Oct 8 12:58:41 seven sshd[32260]: Invalid user hacker from 83.65.199.91 > Oct 8 12:58:41 seven sshd[32261]: Invalid user copila\r from 83.65.199.91 > Oct 8 12:58:42 seven sshd[32265]: Invalid user dorna from 83.65.199.91 > Oct 8 12:58:42 seven sshd[32264]: Invalid user gelo from 83.65.199.91 > Oct 8 12:58:42 seven sshd[32268]: Invalid user evara from 83.65.199.91 > Oct 8 12:58:43 seven sshd[32270]: Invalid user hack from 83.65.199.91 > Oct 8 12:58:43 seven sshd[32271]: Invalid user copil\r from 83.65.199.91 > Oct 8 12:58:43 seven sshd[32274]: Invalid user Doubled from 83.65.199.91 > Oct 8 12:58:43 seven sshd[32275]: Invalid user gelos from 83.65.199.91 > Oct 8 12:58:44 seven sshd[32278]: Invalid user eve from 83.65.199.91 > > Is there a way that I could configure the server so that if there are for > example X attempts from an IP address then for the next Y hours all the SSH > requests would be ignored from that IP address? > There are only a handful of people who have access to that server. > > Thanks > > /usr/ports/security/denyhosts --=20 Adam Vande More _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
"This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system."