From owner-freebsd-questions@FreeBSD.ORG  Thu Apr 26 10:25:07 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id BD46916A401
	for <freebsd-questions@freebsd.org>;
	Thu, 26 Apr 2007 10:25:07 +0000 (UTC)
	(envelope-from wodfer@gmail.com)
Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.238])
	by mx1.freebsd.org (Postfix) with ESMTP id 7B23613C448
	for <freebsd-questions@freebsd.org>;
	Thu, 26 Apr 2007 10:25:07 +0000 (UTC)
	(envelope-from wodfer@gmail.com)
Received: by wr-out-0506.google.com with SMTP id 70so515583wra
	for <freebsd-questions@freebsd.org>;
	Thu, 26 Apr 2007 03:25:06 -0700 (PDT)
DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta;
	h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type;
	b=R8u+Li+qihz3Brqi/4W3sQLlSAKkRVpgv+hrjTsijT3scMlEQbS5RsF1s5uKPtDS3DR8BZxlocIZfB5TnxSkPvYkCul71DC4vTCVe5ewru36Az/BljtoDbvk2OwnSdJ9Ah05NhbUdO6/U/WjvkY+kHq1yoF8mSdro40hgdwvsUg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta;
	h=received:message-id:date:from:to:subject:mime-version:content-type;
	b=PB5jewuStmBTx/YMM5t8PzxIPRYNq47waOMGr4eH28yvCcMU9g//MjKNoAHdprqQD7jUiopviUgaaOFSKSYlsKCexUaTMzwFRmsivGs1rlBPZEYCsDj5SBuutBurg5aq8RCOzLfjLS0CGtPkHTA/zyVhz2y2/hDEFTF7CZzmLOM=
Received: by 10.115.54.1 with SMTP id g1mr522896wak.1177583106201;
	Thu, 26 Apr 2007 03:25:06 -0700 (PDT)
Received: by 10.114.193.12 with HTTP; Thu, 26 Apr 2007 03:25:06 -0700 (PDT)
Message-ID: <23ed14b80704260325w3fc06647vb114cd411625e16b@mail.gmail.com>
Date: Thu, 26 Apr 2007 12:25:06 +0200
From: "=?ISO-8859-1?Q?Andreas_Wider=F8e_Andersen?=" <wodfer@gmail.com>
To: freebsd-questions <freebsd-questions@freebsd.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: How do I prevent unauthorized ssh login attempts?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Apr 2007 10:25:07 -0000

I'm getting a lot of unauthorized ssh login attempts. I have a pretty basic
FreeBSD 6.2 setup. I have compiled my own kernel. Here's what I get from my
daily security run output:

myserver.domain.com login failures:
Apr 25 20:00:19 myserver sshd[57810]: Invalid user staff from 65.171.74.26
Apr 25 20:00:22 myserver sshd[57812]: Invalid user sales from 65.171.74.26
Apr 25 20:00:24 myserver sshd[57814]: Invalid user recruit from 65.171.74.26
Apr 25 20:00:26 myserver sshd[57816]: Invalid user alias from 65.171.74.26
Apr 25 20:00:28 myserver sshd[57818]: Invalid user office from 65.171.74.26
Apr 25 20:00:30 myserver sshd[57820]: Invalid user samba from 65.171.74.26
Apr 25 20:00:32 myserver sshd[57822]: Invalid user tomcat from 65.171.74.26
Apr 25 20:00:34 myserver sshd[57824]: Invalid user webadmin from
65.171.74.26
Apr 25 20:00:36 myserver sshd[57826]: Invalid user spam from 65.171.74.26
Apr 25 20:00:38 myserver sshd[57828]: Invalid user virus from 65.171.74.26
Apr 25 20:00:41 myserver sshd[57830]: Invalid user cyrus from 65.171.74.26
Apr 25 20:00:43 myserver sshd[57832]: Invalid user oracle from 65.171.74.26
Apr 25 20:00:45 myserver sshd[57834]: Invalid user michael from 65.171.74.26
Apr 25 20:00:47 myserver sshd[57836]: Invalid user ftp from 65.171.74.26
Apr 25 20:00:49 myserver sshd[57838]: Invalid user test from 65.171.74.26
Apr 25 20:00:51 myserver sshd[57840]: Invalid user webmaster from
65.171.74.26
Apr 25 20:00:53 myserver sshd[57842]: Invalid user postmaster from
65.171.74.26
Apr 25 20:00:56 myserver sshd[57844]: Invalid user postfix from 65.171.74.26
Apr 25 20:00:57 myserver sshd[57846]: Invalid user postgres from
65.171.74.26
Apr 25 20:00:59 myserver sshd[57848]: Invalid user paul from 65.171.74.26
Apr 25 20:01:04 myserver sshd[57852]: Invalid user guest from 65.171.74.26
Apr 25 20:01:06 myserver sshd[57854]: Invalid user admin from 65.171.74.26
Apr 25 20:01:08 myserver sshd[57856]: Invalid user linux from 65.171.74.26
Apr 25 20:01:11 myserver sshd[57858]: Invalid user user from 65.171.74.26
Apr 25 20:01:13 myserver sshd[57860]: Invalid user david from 65.171.74.26

How can I stop these attempts or block them - or even recognize them? I do
not have IPF installed.

Thanks for your help.

Best regards,
Andreas