From owner-freebsd-questions@FreeBSD.ORG Sat Aug 27 23:59:27 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5700B16A41F for ; Sat, 27 Aug 2005 23:59:27 +0000 (GMT) (envelope-from nawcom@nawcom.no-ip.com) Received: from nawcom.no-ip.com (adsl-69-208-125-59.dsl.sfldmi.ameritech.net [69.208.125.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id C248943D48 for ; Sat, 27 Aug 2005 23:59:26 +0000 (GMT) (envelope-from nawcom@nawcom.no-ip.com) Received: from [192.168.212.4] (unknown [192.168.212.4]) by nawcom.no-ip.com (Postfix) with ESMTP id C5FB777F8; Sat, 27 Aug 2005 20:21:22 -0400 (EDT) Message-ID: <4310FE6C.6050401@nawcom.no-ip.com> Date: Sat, 27 Aug 2005 19:59:40 -0400 From: nawcom User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Maarten Sanders , freebsd-questions@freebsd.org References: <810a540e0508232127737d91fb@mail.gmail.com> <200508241119671.SM00756@chris> <20050825112237.GE45634@topper.cteresource.org> <1125008688.39123.14.camel@maarten> In-Reply-To: <1125008688.39123.14.camel@maarten> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: Illegal access attempt - FreeBSD 5.4 Release - please advise X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Aug 2005 23:59:27 -0000 I also get a large amount of atttacks via ssh, i decided that the people who have access to my server (only 12) know what their usernames are. my decision was to set up a swatch script to monitor the types of errors that are picked up in the logs: -if the attempt was with a username that doesnt exist - i add the ip to a db of banned ips and flush and restart ipfw -if it is from a username that does exist - i give the person 5 tries, if by the 5th try they cant get in, i add the ip to the db as stated above. it sounds pretty harsh, but it definetely stops those idiots. ive got a large list of ips, and from nmapping them most are from people running entry level linux distros with many holes in their security setup. i could get revenge, but not worth it. if anyone is curious about the script let me know, Ben Maarten Sanders wrote: >On Thu, 2005-08-25 at 07:22 -0400, Lee Capps wrote: > > >>On 11:18 Wed 24 Aug , Chris St Denis wrote: >> >> >>>How can I easily auto deny after x failed attempts? Is this an sshd setting? >>>I could find it. >>> >>>Is there something in ports that will firewall off somebody who is brute >>>forcing? >>> >>> >>In addition to adding entries to /etc/hosts.allow you could try >>DenyHosts: >> >>http://denyhosts.sourceforge.net/ >> >>I didn't find a port, but it works with FreeBSD and isn't too onerous to >>install. >> >>HTH, >> >>Lee >>_______________________________________________ >>freebsd-questions@freebsd.org mailing list >>http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >> >> >> >Nice suggestion, but how do I enable tcp_wrappers with sshd? > >See : http://denyhosts.sourceforge.net/ssh_config.html >I tried adding > >sshd: 127.0.0.1 : deny to /etc/hosts.allow but I failed the described >test. > >Maarten > > >_______________________________________________ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > >