From owner-freebsd-questions@FreeBSD.ORG Mon Jan 18 22:53:15 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A4905106566B for ; Mon, 18 Jan 2010 22:53:15 +0000 (UTC) (envelope-from amvandemore@gmail.com) Received: from mail-pw0-f44.google.com (mail-pw0-f44.google.com [209.85.160.44]) by mx1.freebsd.org (Postfix) with ESMTP id 790D58FC0A for ; Mon, 18 Jan 2010 22:53:15 +0000 (UTC) Received: by pwi15 with SMTP id 15so2151304pwi.3 for ; Mon, 18 Jan 2010 14:53:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=mqSjlfeM7KNYF0jRhTeaZv35+/ixr146xaTZvDlpSiY=; b=DGUYdu42UvdPIkqvyBDm5W2Z/LBvCC9DOHwbcBg2+WgjPWrnCl4lu08lxm5mUR6jFI XaianAz6pOUodn1nutZduoxP9QKbPUXGjYyO8KECZn3/6/+fM925hqvFcqHIZgUIvCHI 5nN4aSz+yCiP5zi1Yv+niEfqri7zP23MeeK8A= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=BCVS6oPKtypUVgttHvqvvoUSdzA21DdNLhIErLFQwLFNRnafhdhmmf6J2LFWtkxGyw OUiY1vaiW9/C07aG+6Yn+SUod18WIKenyENWt1tKFGvEEp3frFAV0ktSkdsCxEWcdFVd zVqvvfNq8/JnYOr3/GLg+1aTmZF3i/AYoFzeY= MIME-Version: 1.0 Received: by 10.142.9.1 with SMTP id 1mr1653344wfi.92.1263855194790; Mon, 18 Jan 2010 14:53:14 -0800 (PST) In-Reply-To: <201001182239.20153.david@vizion2000.net> References: <201001182239.20153.david@vizion2000.net> Date: Mon, 18 Jan 2010 16:53:14 -0600 Message-ID: <6201873e1001181453n2e907e9ex11ffbc3a37233a@mail.gmail.com> From: Adam Vande More To: David Southwell Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: Re: /etc/hosts.deniedssh X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jan 2010 22:53:15 -0000 On Mon, Jan 18, 2010 at 4:39 PM, David Southwell wrote: > Examples from hosts.deniedssh > I seem to be on the receiving end of a concerted series of unsuccessful > break > in attacks on one of our systems. One small part of the attack has > resulted > in over 2000 entries in our hosts.deniedssh file in less than 1 hour. > > I would be interested in any comments on the small example shown below and > any > advice. > > Thanks in advance > > David > r200-40-132-245.static.adinet.com.uy > mail.munisanmiguel.gob.pe > port-83-236-241-198.static.qsc.de > pd95b50ce.dip0.t-ipconnect.de > v32641.1blu.de > dubovik.net > r200-40-132-245.static.adinet.com.uy > mail.munisanmiguel.gob.pe > port-83-236-241-198.static.qsc.de > pd95b50ce.dip0.t-ipconnect.de > v32641.1blu.de > dubovik.net > r200-40-132-245.static.adinet.com.uy > mail.munisanmiguel.gob.pe > port-83-236-241-198.static.qsc.de > pd95b50ce.dip0.t-ipconnect.de > v32641.1blu.de > dubovik.net > r200-40-132-245.static.adinet.com.uy > mail.munisanmiguel.gob.pe > port-83-236-241-198.static.qsc.de > pd95b50ce.dip0.t-ipconnect.de > v32641.1blu.de > dubovik.net > r200-40-132-245.static.adinet.com.uy > mail.munisanmiguel.gob.pe > port-83-236-241-198.static.qsc.de > pd95b50ce.dip0.t-ipconnect.de > v32641.1blu.de > dubovik.net > r200-40-132-245.static.adinet.com.uy > mail.munisanmiguel.gob.pe > port-83-236-241-198.static.qsc.de > pd95b50ce.dip0.t-ipconnect.de > v32641.1blu.de > dubovik.net > r200-40-132-245.static.adinet.com.uy > mail.munisanmiguel.gob.pe > port-83-236-241-198.static.qsc.de > pd95b50ce.dip0.t-ipconnect.de > v32641.1blu.de > dubovik.net > r200-40-132-245.static.adinet.com.uy > Looks like your conf could use some love. Why are you resolving ip's? Thresholds can be lowered. Are you syncing with remote list? -- Adam Vande More