Date: Wed, 13 Apr 2005 23:55:24 +0200 From: Hexren <me@hexren.net> To: Benjamin Rossen <b.rossen@onsnet.nu> Cc: freebsd-questions@freebsd.org Subject: Re[2]: too many illegal connection attempts through ssh Message-ID: <19221994686.20050413235524@hexren.net> In-Reply-To: <200504132347.49133.b.rossen@onsnet.nu> References: <36f5bbba050406001514562df7@mail.gmail.com> <1113425167.91701.14.camel@red.nativenerds.com> <200504132347.49133.b.rossen@onsnet.nu>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Wed, 2005-04-06 at 07:15 +0000, Edwin D. Vinas wrote: >> hello, >> >> shown below is snapshot of too many illegal attempts to login to my >> server from a suspicious hacker. this is taken from the >> "/var/log/auth.log". my question is, how do i automatically block an >> IP address if it is attempting to guess my login usernames? can i >> configure the firewall to check the instances a certain IP has >> attempted to access/ssh the sevrer, and if it has failed to login for >> about "x" number of attempts, it will be blocked automatically? >> >> thank you in advance! >> >> -edwin >> >> ---------------- >> Mar 26 05:00:00 pawikan newsyslog[11879]: logfile turned over ...etc. > This is one of those things we all have to live with. > I once had the idea to start an Open Source Project for making an > administrators' tool that would work as follows. The tool would collect these > records and send the information to a central server. I would be willing to > donate and administer that server. The server would then track where these > attacks are coming from. If it becomes apparent that the attacks are coming > from a lone idiot doing one or two amateurish crack attempts, nothing further > need be done. On the other hand, if it becomes apparent that the source is > making repeated attacks on many machines, then a co-ordinate message would go > out to all administrators using the tool. This could be automated. We could > hope that many tens of thousands of BSD administrators would be using this > tool (on many hundreds of thousands of BSD machines). All the machines > administered by users of this tool would then launch a concerted Denial Of > Service attack on the cracker address. > Now, how about that? > Of course, we could also try to do this nicely; for example, we could send > automated notifications to the ISPs servicing the offending machines, or to > ICANN, or to the police and other authorities in the countries where this > kind of behavior is illegal, and so on. However, that would certainly be > quite ineffective, and much less fun. > Or we could combine these strategies. We could notify the ISPs that the > attacks are coming from one of their clients, informing them that a Tsunami > DOS shall follow if they do not put a stop to the attacks. > Just an idea... > Benjamin Rossen --------------------------------------------- Sounds fun but opens the door for every local user with ssh access to DOS the machine he is on. I am not that found of the idea.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19221994686.20050413235524>