We keep getting attempts from what look like a username/password scanner
utility to login to our servers externally via sshd. Thankfully, we're
not ignorant enough to leave common account names open, however it is
annoying to say the least. We're getting things like this:
Jan 1 09:07:34 fw sshd[66547]: Invalid user staff from 208.44.210.15
Jan 1 09:07:35 fw sshd[66549]: Invalid user sales from 208.44.210.15
Jan 1 09:07:36 fw sshd[66551]: Invalid user recruit from 208.44.210.15
Jan 1 09:07:37 fw sshd[66553]: Invalid user alias from 208.44.210.15
Jan 1 09:07:38 fw sshd[66555]: Invalid user office from 208.44.210.15
Jan 1 09:07:38 fw sshd[66557]: Invalid user samba from 208.44.210.15
Jan 1 09:07:39 fw sshd[66559]: Invalid user tomcat from 208.44.210.15
Jan 1 09:07:40 fw sshd[66561]: Invalid user webadmin from 208.44.210.15
Jan 1 09:07:41 fw sshd[66563]: Invalid user spam from 208.44.210.15
Jan 1 09:07:42 fw sshd[66565]: Invalid user virus from 208.44.210.15
Jan 1 09:07:43 fw sshd[66567]: Invalid user cyrus from 208.44.210.15
Jan 1 09:07:43 fw sshd[66569]: Invalid user staff from 208.44.210.15
Jan 1 09:07:44 fw sshd[66571]: Invalid user oracle from 208.44.210.15
In our 'periodic daily' report/email, (only the list goes on for hundreds of
attempts). Anyhow, long story short; is there not an easy way to make sshd
block or deny hosts temporarily if X number of invalid login attempts are made
within a minute's time? Must I use an external wrapper to accomplish this, or
can it be done with options to sshd on it's own?
--
Nathan Vidican
[EMAIL PROTECTED]
Windsor Match Plate & Tool Ltd.
http://www.wmptl.com/
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
