Date: Tue, 24 Jan 2006 22:02:26 +0100 From: "Ilias Sachpazidis" <isachpaz@igd.fhg.de> To: <freebsd-questions@freebsd.org> Subject: auth.log & intruder prevention Message-ID: <002401c62129$7c138e70$050a0a0a@hermes> In-Reply-To: <43D67DC9.5030509@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Everyone, In auth.log of my FreeBSD boxes I got many requests to port 22, as you can see below. ----begin of snippet Jan 22 11:21:50 zeus sshd[92900]: Failed password for illegal user cracking from 65.208.188.105 port 58344 ssh2 Jan 22 11:21:53 zeus sshd[92902]: Failed password for illegal user hacking from 65.208.188.105 port 58443 ssh2 Jan 22 11:21:55 zeus sshd[92904]: Failed password for illegal user lol from 65.208.188.105 port 58543 ssh2 Jan 22 11:21:57 zeus sshd[92906]: Failed password for illegal user pgl from 65.208.188.105 port 58640 ssh2 Jan 22 11:22:00 zeus sshd[92908]: Failed password for illegal user player from 65.208.188.105 port 58741 ssh2 Jan 22 11:22:02 zeus sshd[92910]: Failed password for illegal user root4me from 65.208.188.105 port 58842 ssh2 ----end of snippet I am wondering if any script is available to prevent hundreds of attempts on port 22 from external IPs that constantly checking user & passwords on my FreeBSD PCs. What I am looking for is a deamon application/script that receives the recorded data from auth.log and detects if any remote client (IP address) is checking user and passwords (Detection pattern: 5 missing attempts in 1 min). On a successful detection, the script should add an ipfw rule rejecting further IP packets from the specific remote address. Is any script or something similar available so far? All the best, Ilias
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002401c62129$7c138e70$050a0a0a>