Odhiambo Washington wrote:
Hello users.
I run several 5.2.1 boxes (in production).
For weeks now, I have seen alot of notifications from periodic/daily
with the output below and I have questions:
1. Is this some virus or some crackers playing around?
2. Why only on 5.2.1 systems and not on any of the 4.10 boxes that I
also run?
3. Am I supposed to be worried at all? Well, I am not ;)
I hate the messages though and there must be something here that I
need to do.
<cut>
Oct 17 10:44:10 gw sshd[4170]: Failed password for nobody from 210.80.96.185 port
52215 ssh2
Oct 17 10:44:19 gw sshd[4172]: Failed password for patrick from 210.80.96.185 port
52337 ssh2
These attackers seem to always poke at port 22 for ssh holes.
I have three ways to prevent access, from easy to more difficult setup:
1. restrict sshd access in /etc/hosts.allow, by an entry like
sshd : 225.50.0.0/255.255.0.0 : allow
[...whatever access restrictions to other services...]
ALL : ALL : deny
where 225.50.0.0/255.255.0.0 is an example of the sub-network your on.
Only IPs from this network can access your PC via ssh.
2. shift your sshd access to another port, by modifing /etc/rc.conf
sshd_flags="-p 4321"
but then users should be informed to do "ssh -p 4321 ...." instead.
Note: 4321 is just an example; choose your own number > 1024 here.
3. Use a firewall, that allows access via port 22 only for restricted IPs,
but the other sshd port for the whole world.
Modify /etc/rc.conf:
sshd_flags="-p 22 -p 4321"
And for example with ipfw:
[...]
check-state
[...]
allow tcp from any to me 4321 in via rl0 setup
allow tcp from 225.50.0.0/16 to me ssh in via rl0 setup
(replace "rl0" by your own device).
I am using (3) and the sshd attacks have dropped to zero.
Rob.
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
