Date: Tue, 7 Feb 2006 09:17:26 +0000 From: "Nigel (Merv) Hughes" <merv@merv.org.uk> To: freebsd-questions@freebsd.org Cc: Brad Gilmer <bgilmer@gilmer.org> Subject: Re: sshd possible breakin attempt messages Message-ID: <200602070917.27095.merv@merv.org.uk> In-Reply-To: <20060206162304.GA83056@gilmer.org> References: <20060206162304.GA83056@gilmer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Brad, I don't know much about the nuts and bolts of FreeBSD or Security, but I resently had the same problem as you. I found that the Denyhosts port (http://denyhosts.sourceforge.net/index.html) fixed the problem very well. The non-standard, host.evil, set-up works best with the FreeBSD host.allow format. You end up with a host.allow that looks a bit like this: # # Denyhost Cron Job checks the logs and adds # the bad IPs to hosts.evil # ALL: /usr/local/etc/hosts.evil : deny # # Trust everyone until the logs say they tried a bad thing. # ALL : ALL : allow The FAQs on the website are very good and the Denyhosts' config file is well commented so the set-up and install is very easy. I hope this helps. Merv On Monday 06 February 2006 16:23, Brad Gilmer wrote: > Hello all, > > I guess one of the banes of our existance as Sys Admins is that people are > always pounding away at our systems trying to break in. Lately, I have > been getting hit with several hundred of the messages below per dayin my > security report output... > > gilmer.org login failures: > Feb 5 11:18:17 gilmer sshd[78078]: reverse mapping checking getaddrinfo > for 206-171-37-232.ded.pacbell.net failed - POSSIBLE BREAKIN ATTEMPT! Feb > 5 11:18:18 gilmer sshd[78080]: reverse mapping checking getaddrinfo for > 206-171-37-232.ded.pacbell.net failed - POSSIBLE BREAKIN ATTEMPT! Feb 5 > 11:18:20 gilmer sshd[78082]: reverse mapping checking getaddrinfo for > 206-171-37-232.ded.pacbell.net failed - POSSIBLE BREAKIN ATTEMPT! > > I am running FreeBSD 5.4 RELEASE, and right now this box is not a > production machine, but I am going to be taking it live fairly soon. > Questions: > > 1) Is there anything I should be doing to thwart this particular attack? > 2) Given that I am on 5.4, should I upgrade my sshd or do anything else at > this point to make sure my machine is as secure as possible? 3) > (Meta-question) - Should I upgrade to 6.0 before I go live to be sure I am > in the best possible security situation going forward? Should I wait until > 6.1 for bug fixes (generally I am opposed to n.0 anything). > > Thanks > Brad > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200602070917.27095.merv>