too many illegal connection attempts through ssh

[Rob]

Edwin D. Vinas wrote:
> hello,
> 
> shown below is snapshot of too many illegal
> attempts to login to my server from a suspicious
> hacker. this is taken from the "/var/log/auth.log".
> my question is, how do i automatically block an
> IP address if it is attempting to guess my login
> usernames? can i configure the firewall to check
> the instances a certain IP has

My solution is not full proof, but appears to be good
enough to stop these bulk attacks on my server. I use
a combination of firewall & alternative sshd port.

For example, in /etc/rc.conf, I have:
  sshd_enable="YES"
  sshd_flags="-p 22 -p 1234"

(choose 1234 whatever alternative port number you
prefer)

Then add two tcp rules to your firewall:

 ipfw add allow log tcp from 55.44.33.22/11 to \
                      ${oip} ssh in via ${oif} setup
 ipfw add allow log tcp from any to ${oip} 1234 \
                                 in via ${oif} setup

where "55.44.33.22/11" represents your, more or less,
trusted nearby network, ${oip} your outbound IP and
${oif} your outbound interface (e.g. rl0).
I suppose you're familiar enough with firewall rules.

These firewall rules allow 'regular' ssh connections
only from within your nearby network; all other
parties must connect over the alternative port number,
1234 in this example.

Regards,
Rob.


		
__________________________________ 
Do you Yahoo!? 
Yahoo! Sports - Sign up for Fantasy Baseball. 
http://baseball.fantasysports.yahoo.com/