Are these attempts by password crackers??
Murray Taylor
murraytaylor at bytecraftsystems.com
Mon Oct 18 16:23:06 PDT 2004
The AllowUser parameter in ssh_config is handy too.
man sshd_config (5)
On Mon, 2004-10-18 at 17:00, Rob wrote:
> Odhiambo Washington wrote:
> > Hello users.
> > I run several 5.2.1 boxes (in production).
> >
> > For weeks now, I have seen alot of notifications from periodic/daily
> > with the output below and I have questions:
> >
> >
> > 1. Is this some virus or some crackers playing around?
> > 2. Why only on 5.2.1 systems and not on any of the 4.10 boxes that I
> > also run?
> > 3. Am I supposed to be worried at all? Well, I am not ;)
> > I hate the messages though and there must be something here that I
> > need to do.
> >
> >
> > <cut>
> >
> > Oct 17 10:44:10 gw sshd[4170]: Failed password for nobody from 210.80.96.185 port 52215 ssh2
> > Oct 17 10:44:19 gw sshd[4172]: Failed password for patrick from 210.80.96.185 port 52337 ssh2
>
> These attackers seem to always poke at port 22 for ssh holes.
> I have three ways to prevent access, from easy to more difficult setup:
>
> 1. restrict sshd access in /etc/hosts.allow, by an entry like
>
> sshd : 225.50.0.0/255.255.0.0 : allow
> [...whatever access restrictions to other services...]
> ALL : ALL : deny
>
> where 225.50.0.0/255.255.0.0 is an example of the sub-network your on.
> Only IPs from this network can access your PC via ssh.
>
> 2. shift your sshd access to another port, by modifing /etc/rc.conf
>
> sshd_flags="-p 4321"
>
> but then users should be informed to do "ssh -p 4321 ...." instead.
> Note: 4321 is just an example; choose your own number > 1024 here.
>
> 3. Use a firewall, that allows access via port 22 only for restricted IPs,
> but the other sshd port for the whole world.
> Modify /etc/rc.conf:
> sshd_flags="-p 22 -p 4321"
>
> And for example with ipfw:
>
> [...]
> check-state
> [...]
> allow tcp from any to me 4321 in via rl0 setup
> allow tcp from 225.50.0.0/16 to me ssh in via rl0 setup
>
> (replace "rl0" by your own device).
>
>
> I am using (3) and the sshd attacks have dropped to zero.
>
> Rob.
>
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
> ****************************************************************
> This Email has been scanned for Viruses by MailMarshal.
> ****************************************************************
--
Murray Taylor
Special Projects Engineer
---------------------------------
Bytecraft Systems & Entertainment
P: +61 3 8710 2555
F: +61 3 8710 2599
D: +61 3 9238 4275
M: +61 417 319 256
E: murraytaylor at bytecraftsystems.com
or visit us on the web
http://www.bytecraftsystems.com
http://www.bytecraftentertainment.com
---------------------------------------------------------------
The information transmitted in this e-mail is for the exclusive
use of the intended addressee and may contain confidential
and/or privileged material. Any review, re-transmission,
dissemination or other use of it, or the taking of any action
in reliance upon this information by persons and/or entities
other than the intended recipient is prohibited. If you
received this in error, please inform the sender and/or
addressee immediately and delete the material.
E-mails may not be secure, may contain computer viruses and
may be corrupted in transmission. Please carefully check this
e-mail (and any attachment) accordingly. No warranties are
given and no liability is accepted for any loss or damage
caused by such matters.
---------------------------------------------------------------
****************************************************************
This Email has been scanned for Viruses by MailMarshal.
****************************************************************
More information about the freebsd-questions
mailing list