Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 31 Mar 2006 06:44:49 -0700
From:      "Pat Maddox" <pergesu@gmail.com>
To:        "Nathan Vidican" <nvidican@wmptl.com>
Cc:        questions@freebsd.org
Subject:   Re: repeated ssh login attempts/failure/break-in attempts from kiddy script
Message-ID:  <810a540e0603310544j6434d4e1w51e9df2cfeaaf3bc@mail.gmail.com>
In-Reply-To: <442D31C6.5050700@wmptl.com>
References:  <442D31C6.5050700@wmptl.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Disable password-based logins (use keys instead), move SSH to another
port, or install some kind of brute force monitor.  First two options
are the best, but if for some reason you need to keep it on 22 and
password-based logins then look to a BF monitor.  Just make sure you
actually need it..and do some googling, as this gets talked about a
lot (I know, because I asked the same question a few months ago! :)

Pat



On 3/31/06, Nathan Vidican <nvidican@wmptl.com> wrote:
> Noted recently in auth.log, a string of connection attempts repeated/fail=
ed over
> and over from one host - looks like a script someone's running, tries all=
 kinds
> of various usernames, etc... attempts like 100-200 logins, fails and goes=
 away.
>
> Few hours go by, and another such attempt, from a different IP comes in. =
If I'm
> here and just happen to notice them - simple ipfw add deny... does the tr=
ick,
> but is there not a way to limit the login attempts for a certain period o=
f time?
>
> ie: after 4 failed attempts from IP _BLANK_ in less than _BLANK_ minutes,=
 deny
> all attempts and drop connection from said IP... possible?
>
> Any suggestions/ideas? Thus far, no one has managed to login (there are o=
nly
> three accounts which even have a shell or can login via ssh... but still =
not the
> point). I'd just like to get rid of the problem and save my auth.log file=
 for
> perhaps something more useful ;)
>
>
> --
> Nathan Vidican
> nvidican@wmptl.com
> Windsor Match Plate & Tool Ltd.
> http://www.wmptl.com/
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o=
rg"
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?810a540e0603310544j6434d4e1w51e9df2cfeaaf3bc>