May or may not be an option, but changing the default port that ssh runs on worked well enough for our needs. --It greatly reduced the number of automated attacks against the servers. It might work well enough to allow your DIY script to keep up without problems.
-dan -----Original Message----- From: Mikhail Teterin <[EMAIL PROTECTED]> Date: Thu, 21 Aug 2008 13:38:38 To: <[email protected]>; <[EMAIL PROTECTED]> Subject: machine hangs on occasion - correlated with ssh break-in attempts Hello! A machine I manage remotely for a friend comes under a distributed ssh break-in attack every once in a while. Annoyed (and alarmed) by the messages like: Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180 Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180 Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180 Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from 85.234.158.180 I wrote an awk-script, which adds a block of the attacking IP-address to the ipfw-rules after three such "invalid user" attempts with: ipfw add 550 deny ip from ip The script is fed by syslogd directly -- through a syslog.conf rule ("|/opt/sbin/auth-log-watch"). Once in a while I manually flush these rules... I this a good (safe) reaction? I'm asking, because the machine (currently running 7.0 as of July 7) hangs solid once every few weeks... My only guess is that a spike in attacks causes "too many" ipfw-entries created, which paralyzes the kernel due to some bug -- the machine is running natd and is the gateway for the rest of the network... The hangs could, of course, be caused by something else entirely, but my self-defense mechanism is my first suspect... Any comments? Thanks! -mi _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"
