Date: Wed, 6 Apr 2005 00:34:25 -0700 (PDT) From: Rob <spamrefuse@yahoo.com> To: FreeBSD questions <freebsd-questions@freebsd.org> Cc: xmisoy@gmail.com Subject: Re: too many illegal connection attempts through ssh Message-ID: <20050406073425.44628.qmail@web54005.mail.yahoo.com>
next in thread | raw e-mail | index | archive | help
Edwin D. Vinas wrote:
> hello,
>
> shown below is snapshot of too many illegal
> attempts to login to my server from a suspicious
> hacker. this is taken from the "/var/log/auth.log".
> my question is, how do i automatically block an
> IP address if it is attempting to guess my login
> usernames? can i configure the firewall to check
> the instances a certain IP has
My solution is not full proof, but appears to be good
enough to stop these bulk attacks on my server. I use
a combination of firewall & alternative sshd port.
For example, in /etc/rc.conf, I have:
sshd_enable="YES"
sshd_flags="-p 22 -p 1234"
(choose 1234 whatever alternative port number you
prefer)
Then add two tcp rules to your firewall:
ipfw add allow log tcp from 55.44.33.22/11 to \
${oip} ssh in via ${oif} setup
ipfw add allow log tcp from any to ${oip} 1234 \
in via ${oif} setup
where "55.44.33.22/11" represents your, more or less,
trusted nearby network, ${oip} your outbound IP and
${oif} your outbound interface (e.g. rl0).
I suppose you're familiar enough with firewall rules.
These firewall rules allow 'regular' ssh connections
only from within your nearby network; all other
parties must connect over the alternative port number,
1234 in this example.
Regards,
Rob.
__________________________________
Do you Yahoo!?
Yahoo! Sports - Sign up for Fantasy Baseball.
http://baseball.fantasysports.yahoo.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050406073425.44628.qmail>