From owner-freebsd-questions@FreeBSD.ORG Mon Oct 18 23:23:05 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E024C16A4CE for ; Mon, 18 Oct 2004 23:23:05 +0000 (GMT) Received: from wolf.bytecraft.au.com (wolf.bytecraft.au.com [203.39.118.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id A878343D53 for ; Mon, 18 Oct 2004 23:23:04 +0000 (GMT) (envelope-from murraytaylor@bytecraftsystems.com) Received: from localhost (localhost [127.0.0.1])i9INN1ST034027; Tue, 19 Oct 2004 09:23:01 +1000 (EST) (envelope-from murraytaylor@bytecraftsystems.com) Received: from wolf.bytecraft.au.com ([127.0.0.1]) by localhost (wolf.bytecraft.au.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 29472-04-2; Tue, 19 Oct 2004 09:23:01 +1000 (EST) Received: from svmarshal.bytecraft.au.com ([10.0.0.4])i9INM3WF033579; Tue, 19 Oct 2004 09:22:04 +1000 (EST) (envelope-from murraytaylor@bytecraftsystems.com) Received: from wombat.bytecraft.au.com (Not Verified[10.0.0.3]) by svmarshal.bytecraft.au.com with MailMarshal (v5,0,3,78) id ; Tue, 19 Oct 2004 09:22:03 +1000 Received: from [10.0.17.42] (wstaylorm.dand06.au.bytecraft.au.com [10.0.17.42]) by wombat.bytecraft.au.com (Postfix) with ESMTP id 3C6B63F9E; Tue, 19 Oct 2004 09:22:02 +1000 (EST) From: Murray Taylor To: Rob In-Reply-To: <41736A22.7000900@yahoo.com> References: <20041018055122.GB35360@ns2.wananchi.com> <41736A22.7000900@yahoo.com> Content-Type: text/plain Organization: Bytecraft Systems Message-Id: <1098141721.25732.165.camel@wstaylorm.dand06.au.bytecraft.au.com> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Tue, 19 Oct 2004 09:22:01 +1000 Content-Transfer-Encoding: 7bit cc: freebsdquestions Subject: Re: Are these attempts by password crackers?? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Oct 2004 23:23:06 -0000 The AllowUser parameter in ssh_config is handy too. man sshd_config (5) On Mon, 2004-10-18 at 17:00, Rob wrote: > Odhiambo Washington wrote: > > Hello users. > > I run several 5.2.1 boxes (in production). > > > > For weeks now, I have seen alot of notifications from periodic/daily > > with the output below and I have questions: > > > > > > 1. Is this some virus or some crackers playing around? > > 2. Why only on 5.2.1 systems and not on any of the 4.10 boxes that I > > also run? > > 3. Am I supposed to be worried at all? Well, I am not ;) > > I hate the messages though and there must be something here that I > > need to do. > > > > > > > > > > Oct 17 10:44:10 gw sshd[4170]: Failed password for nobody from 210.80.96.185 port 52215 ssh2 > > Oct 17 10:44:19 gw sshd[4172]: Failed password for patrick from 210.80.96.185 port 52337 ssh2 > > These attackers seem to always poke at port 22 for ssh holes. > I have three ways to prevent access, from easy to more difficult setup: > > 1. restrict sshd access in /etc/hosts.allow, by an entry like > > sshd : 225.50.0.0/255.255.0.0 : allow > [...whatever access restrictions to other services...] > ALL : ALL : deny > > where 225.50.0.0/255.255.0.0 is an example of the sub-network your on. > Only IPs from this network can access your PC via ssh. > > 2. shift your sshd access to another port, by modifing /etc/rc.conf > > sshd_flags="-p 4321" > > but then users should be informed to do "ssh -p 4321 ...." instead. > Note: 4321 is just an example; choose your own number > 1024 here. > > 3. Use a firewall, that allows access via port 22 only for restricted IPs, > but the other sshd port for the whole world. > Modify /etc/rc.conf: > sshd_flags="-p 22 -p 4321" > > And for example with ipfw: > > [...] > check-state > [...] > allow tcp from any to me 4321 in via rl0 setup > allow tcp from 225.50.0.0/16 to me ssh in via rl0 setup > > (replace "rl0" by your own device). > > > I am using (3) and the sshd attacks have dropped to zero. > > Rob. > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > > **************************************************************** > This Email has been scanned for Viruses by MailMarshal. > **************************************************************** -- Murray Taylor Special Projects Engineer --------------------------------- Bytecraft Systems & Entertainment P: +61 3 8710 2555 F: +61 3 8710 2599 D: +61 3 9238 4275 M: +61 417 319 256 E: murraytaylor@bytecraftsystems.com or visit us on the web http://www.bytecraftsystems.com http://www.bytecraftentertainment.com --------------------------------------------------------------- The information transmitted in this e-mail is for the exclusive use of the intended addressee and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of it, or the taking of any action in reliance upon this information by persons and/or entities other than the intended recipient is prohibited. If you received this in error, please inform the sender and/or addressee immediately and delete the material. E-mails may not be secure, may contain computer viruses and may be corrupted in transmission. Please carefully check this e-mail (and any attachment) accordingly. No warranties are given and no liability is accepted for any loss or damage caused by such matters. --------------------------------------------------------------- **************************************************************** This Email has been scanned for Viruses by MailMarshal. ****************************************************************