Date: Wed, 03 Jan 2007 05:38:18 -0800 From: Michael <bsdquestions@gmail.com> To: Per olof Ljungmark <peo@intersonic.se> Cc: questions@freebsd.org, Nathan Vidican <nvidican@wmptl.com> Subject: Re: sshd break-in attempt Message-ID: <459BB1CA.1010008@gmail.com> In-Reply-To: <459A6AF0.30305@intersonic.se> References: <459A5A45.4080309@wmptl.com> <459A6AF0.30305@intersonic.se>
next in thread | previous in thread | raw e-mail | index | archive | help
Per olof Ljungmark wrote: > Nathan Vidican wrote: >> We keep getting attempts from what look like a username/password >> scanner utility to login to our servers externally via sshd. >> Thankfully, we're not ignorant enough to leave common account names >> open, however it is annoying to say the least. We're getting things >> like this: >> >> Jan 1 09:07:34 fw sshd[66547]: Invalid user staff from 208.44.210.15 >> Jan 1 09:07:35 fw sshd[66549]: Invalid user sales from 208.44.210.15 >> Jan 1 09:07:36 fw sshd[66551]: Invalid user recruit from 208.44.210.15 >> Jan 1 09:07:37 fw sshd[66553]: Invalid user alias from 208.44.210.15 >> Jan 1 09:07:38 fw sshd[66555]: Invalid user office from 208.44.210.15 >> Jan 1 09:07:38 fw sshd[66557]: Invalid user samba from 208.44.210.15 >> Jan 1 09:07:39 fw sshd[66559]: Invalid user tomcat from 208.44.210.15 >> Jan 1 09:07:40 fw sshd[66561]: Invalid user webadmin from 208.44.210.15 >> Jan 1 09:07:41 fw sshd[66563]: Invalid user spam from 208.44.210.15 >> Jan 1 09:07:42 fw sshd[66565]: Invalid user virus from 208.44.210.15 >> Jan 1 09:07:43 fw sshd[66567]: Invalid user cyrus from 208.44.210.15 >> Jan 1 09:07:43 fw sshd[66569]: Invalid user staff from 208.44.210.15 >> Jan 1 09:07:44 fw sshd[66571]: Invalid user oracle from 208.44.210.15 >> >> In our 'periodic daily' report/email, (only the list goes on for >> hundreds of attempts). Anyhow, long story short; is there not an easy >> way to make sshd block or deny hosts temporarily if X number of >> invalid login attempts are made within a minute's time? Must I use an >> external wrapper to accomplish this, or can it be done with options >> to sshd on it's own? > > There are several ways to block the attacks, one pointed out by first > respondent, we use Denyhosts and sshblock here. > > Google should point you several others. > http://www.google.se/search?hl=en&q=ssh+attacks&btnG=Google+Search > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > As I have mentioned before here on this list, we use Blockhosts which has been extremely effective in blocking these after X number of attempts. You can find it here: http://www.aczoom.com/cms/blockhosts Give it a go, I think you'll be very happy with the results. Michael
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?459BB1CA.1010008>