Date: Wed, 6 Apr 2005 09:30:48 -0700 (PDT) From: Philip Hallstrom <freebsd@philip.pjkh.com> To: freebsd-questions@freebsd.org Subject: Re: too many illegal connection attempts through ssh Message-ID: <20050406092757.V44943@wolf.pjkh.com> In-Reply-To: <200504060729.42571.krinklyfig@spymac.com> References: <36f5bbba050406001514562df7@mail.gmail.com> <4253B4CE.6070504@locolomo.org> <200504060729.42571.krinklyfig@spymac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>>>> shown below is snapshot of too many illegal attempts to login to >>>> my server from a suspicious hacker. this is taken from the >>>> "/var/log/auth.log". my question is, how do i automatically block >>>> an IP address if it is attempting to guess my login usernames? >>>> can i configure the firewall to check the instances a certain IP >>>> has attempted to access/ssh the sevrer, and if it has failed to >>>> login for about "x" number of attempts, it will be blocked >>>> automatically? >>> >>> This question is asked on the list ever so often - see the archives >>> for suggestions. These are automated attacks, they come regularly >>> as crackers, black hats or script kidies scan across the net. >> >> Does anybody know what robots beeing used? And on what systems? All >> you mention later in your posting is true of course and I needn't >> care about these logs, but it's like like somebody unknown puts 10 >> flyers in your letterbox every night. I'm sure, one night you'll hide >> and build a trap for that person. I'm too lazy to enter those >> net-circles for finding these robots, but maybe some other has >> already done that? I haven't done that, but if you don't like them you can block them fairly easily... I wrote a little script in PHP (not that it would be hard to re-write in perl or whatever) that watches /var/log/auth.log and if it sees an invalid login, it adds a firewall rule to block that IP. Then I've got a separate cronjob that removes those firewall rules a couple minutes later. Yes, I have locked myself out of my own server when I mistype my password, but I just wait a minute and it lets me back in. I thought about modifying it so instead of outright blocking it, it put it into a pipe that limited it's bandwidth to almost nil just to hold the thing up a bit, but this works for me.. http://www.pjkh.com/sshmonitor/ -philip
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050406092757.V44943>