Date: Tue, 02 Jan 2007 08:12:37 -0500 From: Nathan Vidican <nvidican@wmptl.com> To: questions@freebsd.org Subject: sshd break-in attempt Message-ID: <459A5A45.4080309@wmptl.com>
next in thread | raw e-mail | index | archive | help
We keep getting attempts from what look like a username/password scanner utility to login to our servers externally via sshd. Thankfully, we're not ignorant enough to leave common account names open, however it is annoying to say the least. We're getting things like this: Jan 1 09:07:34 fw sshd[66547]: Invalid user staff from 208.44.210.15 Jan 1 09:07:35 fw sshd[66549]: Invalid user sales from 208.44.210.15 Jan 1 09:07:36 fw sshd[66551]: Invalid user recruit from 208.44.210.15 Jan 1 09:07:37 fw sshd[66553]: Invalid user alias from 208.44.210.15 Jan 1 09:07:38 fw sshd[66555]: Invalid user office from 208.44.210.15 Jan 1 09:07:38 fw sshd[66557]: Invalid user samba from 208.44.210.15 Jan 1 09:07:39 fw sshd[66559]: Invalid user tomcat from 208.44.210.15 Jan 1 09:07:40 fw sshd[66561]: Invalid user webadmin from 208.44.210.15 Jan 1 09:07:41 fw sshd[66563]: Invalid user spam from 208.44.210.15 Jan 1 09:07:42 fw sshd[66565]: Invalid user virus from 208.44.210.15 Jan 1 09:07:43 fw sshd[66567]: Invalid user cyrus from 208.44.210.15 Jan 1 09:07:43 fw sshd[66569]: Invalid user staff from 208.44.210.15 Jan 1 09:07:44 fw sshd[66571]: Invalid user oracle from 208.44.210.15 In our 'periodic daily' report/email, (only the list goes on for hundreds of attempts). Anyhow, long story short; is there not an easy way to make sshd block or deny hosts temporarily if X number of invalid login attempts are made within a minute's time? Must I use an external wrapper to accomplish this, or can it be done with options to sshd on it's own? -- Nathan Vidican nvidican@wmptl.com Windsor Match Plate & Tool Ltd. http://www.wmptl.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?459A5A45.4080309>