repeated ssh login attempts/failure/break-in attempts from
kiddy script
fbsd_user
fbsd_user at a1poweruser.com
Fri Mar 31 15:32:09 UTC 2006
What you are seeing is ssh doing it's job like its designed to do.
This is not anything you have to worry about.
If you don't want to see these messages in your auth.log then
change syslog.conf to only send critical messages to the log.
There are a few different ports in the FreeBSD ports collection
which address this problem by adding deny ip address rules to
your firewall. The denyhosts port is the most popular.
But this is just make busy work as it does not really provide
any greater security than ssh is providing it's self.
The facts of life is script kiddies and robots roll through ranges
of
ip address looking for open ssh ports and then mount a attack. There
is
nothing you can do about this except change the port
number ssh uses to some high port number.
With only 4 remote ssh users far better to change the port number
ssh
uses and just have your remote ssh users add the port number
to use in their ssh client.
Here is document to explain how to do that in detail.
http://elibrary.fultus.com/technical/index.jsp?topic=/com.fultus.doc
s.software/books/ssh_how-to/cover.html
-----Original Message-----
From: owner-freebsd-questions at freebsd.org
[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Nathan
Vidican
Sent: Friday, March 31, 2006 8:43 AM
To: questions at freebsd.org
Subject: repeated ssh login attempts/failure/break-in attempts from
kiddy script
Noted recently in auth.log, a string of connection attempts
repeated/failed over
and over from one host - looks like a script someone's running,
tries all kinds
of various usernames, etc... attempts like 100-200 logins, fails and
goes away.
Few hours go by, and another such attempt, from a different IP comes
in. If I'm
here and just happen to notice them - simple ipfw add deny... does
the trick,
but is there not a way to limit the login attempts for a certain
period of time?
ie: after 4 failed attempts from IP _BLANK_ in less than _BLANK_
minutes, deny
all attempts and drop connection from said IP... possible?
Any suggestions/ideas? Thus far, no one has managed to login (there
are only
three accounts which even have a shell or can login via ssh... but
still not the
point). I'd just like to get rid of the problem and save my auth.log
file for
perhaps something more useful ;)
--
Nathan Vidican
nvidican at wmptl.com
Windsor Match Plate & Tool Ltd.
http://www.wmptl.com/
_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions
mailing list