I got annoyed with all the illegal ssh login attempts, so I now use this little program in crontab: http://www.ankeborg.nu/~sjk/ssh.c (don't use it if you don't understand it.)
On 8/24/05, Chris St Denis <[EMAIL PROTECTED]> wrote: > > How can I easily auto deny after x failed attempts? Is this an sshd > setting? > I could find it. > > Is there something in ports that will firewall off somebody who is brute > forcing? > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Pat Maddox > Sent: Tuesday, August 23, 2005 9:27 PM > To: FreeBSD Questions > Subject: Re: Illegal access attempt - FreeBSD 5.4 Release - please advise > > It's not that big of a deal...they didn't get in or anything. If > you've got a server that's always connected to the internet, you'll > see people trying to break in all the time. The more popular your > server, the more frequent the attempts. This is just someone trying > to log in via SSH - so as long as you have good passwords on all your > accounts, and disable remote root login, you're fine. > > You may consider denying access after X failed login attempts. > > > On 8/23/05, ro ro <[EMAIL PROTECTED]> wrote: > > Hi All, > > > > I was browsing through my log files and noticed that > > someone (or many people) is trying to gain illegal > > access to my server (see snippet from log files > > below). > > > > The below log file clearly indicates someone trying to > > hackaway at my personal server. > > > > I performed the following steps: > > > > nmap -v 210.0.142.153 <http://210.0.142.153> > > > > and noticed that this person/institution had port 80 > > and 21 open. > > > > I visited their website and it appears to be someone > > from hongkong. > > http://www.chkpcc.edu.hk/ > > > > HERE IS THEIR CONTACT INFORMATION AS IT APPEARS ON > > THEIR WEBSITE > > ------------------------------------------------------------- > > Confucian Ho Kwok Pui Chun College 孔 教 > > 學 院 何 郭 佩 珍 > > 中 學 > > Address 地址: Fu Shin Est., Taipo, > > N.T., HKSAR > > 香港新界大埔富善村 > > Tel 電話: 852-2666-5926 > > Fax 傳真: 852-2660-7988 > > E-mail 電郵: [EMAIL PROTECTED] > > ------------------------------------------------------------- > > > > > > When I saw the logs for the first time. I took the > > following steps: > > 1) AllowUsers in sshd contained only users that I > > wanted to have access to my ssh > > 2) Created a decent rulest within ipfw that permitted > > incoming access to only two ports ssh and http > > > > I took the issue of creating a good firewall quite > > lightly and now I regret that decision.. now I have > > learnt... Can someone provide me with guidance on this > > issue and advise me on next steps to take action > > against such losers. > > > > Thanks > > RV > > > > Aug 23 08:19:03 free sshd[22519]: Illegal user lp from > > 210.0.142.153 <http://210.0.142.153> > > Aug 23 08:19:06 free sshd[22521]: Illegal user admin > > from 210.0.142.153 <http://210.0.142.153> > > Aug 23 08:19:08 free sshd[22523]: Illegal user admin > > from 210.0.142.153 <http://210.0.142.153> > > Aug 23 08:19:10 free sshd[22525]: Illegal user admin > > from 210.0.142.153 <http://210.0.142.153> > > Aug 23 08:19:12 free sshd[22527]: Illegal user admin > > from 210.0.142.153 <http://210.0.142.153> > > Aug 23 08:19:15 free sshd[22529]: Illegal user admin > > from 210.0.142.153 <http://210.0.142.153> > > Aug 23 08:19:17 free sshd[22531]: Illegal user admin > > from 210.0.142.153 <http://210.0.142.153> > > Aug 23 08:19:19 free sshd[22533]: Illegal user admin > > from 210.0.142.153 <http://210.0.142.153> > > Aug 23 08:19:22 free sshd[22535]: User root not > > allowed because not listed in AllowUsers > > Aug 23 08:19:24 free sshd[22537]: User root not > > allowed because not listed in AllowUsers > > Aug 23 08:19:27 free sshd[22539]: User root not > > allowed because not listed in AllowUsers > > Aug 23 08:19:29 free sshd[22541]: User root not > > allowed because not listed in AllowUsers > > Aug 23 08:19:33 free sshd[22543]: User root not > > allowed because not listed in AllowUsers > > Aug 23 08:19:35 free sshd[22545]: User root not > > allowed because not listed in AllowUsers > > Aug 23 08:19:37 free sshd[22547]: Illegal user apache > > from 210.0.142.153 <http://210.0.142.153> > > Aug 23 08:19:40 free sshd[22549]: Illegal user dan > > from 210.0.142.153 <http://210.0.142.153> > > Aug 23 08:19:42 free sshd[22551]: Illegal user electra > > from 210.0.142.153 <http://210.0.142.153> > > Aug 23 08:19:44 free sshd[22553]: Illegal user student > > from 210.0.142.153 <http://210.0.142.153> > > Aug 23 08:19:47 free sshd[22555]: Illegal user school > > from 210.0.142.153 <http://210.0.142.153> > > Aug 23 08:19:49 free sshd[22557]: User mysql not > > allowed because not listed in AllowUsers > > > > > > Aug 11 20:16:10 free sshd[21585]: Illegal user test > > from 210.245.197.16 <http://210.245.197.16> > > Aug 11 20:16:12 free sshd[21587]: Illegal user guest > > from 210.245.197.16 <http://210.245.197.16> > > Aug 11 20:16:14 free sshd[21589]: Illegal user admin > > from 210.245.197.16 <http://210.245.197.16> > > Aug 11 20:16:16 free sshd[21591]: Illegal user admin > > from 210.245.197.16 <http://210.245.197.16> > > Aug 11 20:16:23 free sshd[21593]: Illegal user user > > from 210.245.197.16 <http://210.245.197.16> > > Aug 11 20:16:32 free sshd[21601]: Illegal user test > > from 210.245.197.16 <http://210.245.197.16> > > > > Aug 14 03:39:21 free sshd[32377]: Illegal user 1 from > > 61.145.222.10 <http://61.145.222.10> > > Aug 14 03:39:26 free sshd[32379]: Illegal user a from > > 61.145.222.10 <http://61.145.222.10> > > Aug 14 03:39:31 free sshd[32381]: Illegal user a from > > 61.145.222.10 <http://61.145.222.10> > > Aug 14 03:39:38 free sshd[32383]: Illegal user abuse > > from 61.145.222.10 <http://61.145.222.10> > > Aug 14 10:47:49 free sshd[33623]: Illegal user admin > > from 64.222.146.197 <http://64.222.146.197> > > Aug 14 10:47:51 free sshd[33625]: Illegal user > > administrator from 64.222.146.197 <http://64.222.146.197> > > Aug 14 10:47:52 free sshd[33627]: Illegal user jack > > from 64.222.146.197 <http://64.222.146.197> > > Aug 14 10:47:53 free sshd[33629]: Illegal user marvin > > from 64.222.146.197 <http://64.222.146.197> > > Aug 14 10:47:58 free sshd[33631]: Illegal user andres > > from 64.222.146.197 <http://64.222.146.197> > > Aug 14 10:47:59 free sshd[33633]: Illegal user barbara > > from 64.222.146.197 <http://64.222.146.197> > > Aug 14 10:48:01 free sshd[33635]: Illegal user adine > > from 64.222.146.197 <http://64.222.146.197> > > Aug 14 10:48:02 free sshd[33637]: Illegal user test > > from 64.222.146.197 <http://64.222.146.197> > > Aug 14 10:48:04 free sshd[33639]: Illegal user guest > > from 64.222.146.197 <http://64.222.146.197> > > Aug 14 10:48:07 free sshd[33641]: Illegal user db from > > 64.222.146.197 <http://64.222.146.197> > > > > Aug 23 08:18:40 free sshd[22499]: Illegal user demo > > from 210.0.142.153 <http://210.0.142.153> > > Aug 23 08:18:43 free sshd[22501]: Illegal user > > postgres from 210.0.142.153 <http://210.0.142.153> > > Aug 23 08:18:45 free sshd[22503]: Illegal user > > postmaster from 210.0.142.153 <http://210.0.142.153> > > Aug 23 08:18:47 free sshd[22505]: Illegal user > > postgres from 210.0.142.153 <http://210.0.142.153> > > Aug 23 08:18:49 free sshd[22507]: Illegal user > > postgres from 210.0.142.153 <http://210.0.142.153> > > Aug 23 08:18:52 free sshd[22509]: Illegal user ftp > > from 210.0.142.153 <http://210.0.142.153> > > Aug 23 08:18:54 free sshd[22511]: User news not > > allowed because not listed in AllowUsers > > Aug 23 08:18:56 free sshd[22513]: Illegal user demo > > from 210.0.142.153 <http://210.0.142.153> > > Aug 23 08:18:58 free sshd[22515]: Illegal user > > demouser from 210.0.142.153 <http://210.0.142.153> > > Aug 23 08:19:01 free sshd[22517]: User sshd not > > allowed because not listed in AllowUsers > > > > > > > > > > > > > > > > > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam protection around > > http://mail.yahoo.com > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > [EMAIL PROTECTED]" > -- John Macintosh irc.ambernet.se <http://irc.ambernet.se> admin (AmberNet) irc.pte.hu <http://irc.pte.hu> oper (EFnet)
_______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"