Date: Fri, 31 Mar 2006 15:49:08 +0200 From: albi <albi@scii.nl> To: Nathan Vidican <nvidican@wmptl.com> Cc: questions@freebsd.org Subject: Re: repeated ssh login attempts/failure/break-in attempts from kiddy script Message-ID: <442D3354.50106@scii.nl> In-Reply-To: <442D31C6.5050700@wmptl.com> References: <442D31C6.5050700@wmptl.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Nathan Vidican wrote: > Noted recently in auth.log, a string of connection attempts > repeated/failed over and over from one host - looks like a script > someone's running, tries all kinds of various usernames, etc... attempts > like 100-200 logins, fails and goes away. > > Few hours go by, and another such attempt, from a different IP comes in. > If I'm here and just happen to notice them - simple ipfw add deny... > does the trick, but is there not a way to limit the login attempts for a > certain period of time? > > ie: after 4 failed attempts from IP _BLANK_ in less than _BLANK_ > minutes, deny all attempts and drop connection from said IP... possible? > > Any suggestions/ideas? Thus far, no one has managed to login (there are > only three accounts which even have a shell or can login via ssh... but > still not the point). I'd just like to get rid of the problem and save > my auth.log file for perhaps something more useful ;) this a FAQ by now :-) some people recommend denyhosts, it's in the ports afaik http://denyhosts.sourceforge.net/faq.html#2_4 i don't use this myself, i prefer the AllowUsers option in sshd.config, and i'm using a ssh-jail anyway with a disabled root-passwd -- grtjs, albi gpg-key: lynx -dump http://scii.nl/~albi/gpg.asc | gpg --import
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?442D3354.50106>