Allie D. wrote:
I just had to reply with this info because I already had an attempted
brute force in the last hour. All you need to do is make your rule tighter
and add a connection rate ratio to start collecting IP's.
we use pf os fingerprinting to only allow ssh connections from openbsd
hosts. that pretty much solves the problem...
( I use logsentry/logcheck)
Security Violations
=-=-=-=-=-=-=-=-=-=
Aug 8 11:48:16 traci sshd[1099]: Failed password for invalid user root from
72.11.128.61 port 42049 ssh2
Aug 8 11:48:17 traci sshd[25952]: Failed password for invalid user root from
72.11.128.61 port 42104 ssh2
Aug 8 11:48:18 traci sshd[2543]: Failed password for invalid user root from
72.11.128.61 port 42149 ssh2
Aug 8 11:48:19 traci sshd[14785]: Failed password for invalid user root from
72.11.128.61 port 42193 ssh2
Aug 8 11:48:20 traci sshd[75]: Failed password for invalid user root from
72.11.128.61 port 42242 ssh2
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Aug 8 11:48:16 traci sshd[1099]: User root from 72.11.128.61 not allowed
because
not listed in AllowUsers
Aug 8 11:48:16 traci sshd[28065]: input_userauth_request: invalid user root
Aug 8 11:48:16 traci sshd[1099]: Failed password for invalid user root from
72.11.128.61 port 42049 ssh2
Aug 8 11:48:16 traci sshd[28065]: Received disconnect from 72.11.128.61:
11: Bye Bye
Aug 8 11:48:17 traci sshd[25952]: User root from 72.11.128.61 not allowed
because
not listed in AllowUsers
Aug 8 11:48:17 traci sshd[4408]: input_userauth_request: invalid user root
Aug 8 11:48:17 traci sshd[25952]: Failed password for invalid user root from
72.11.128.61 port 42104 ssh2
Aug 8 11:48:17 traci sshd[4408]: Received disconnect from 72.11.128.61:
11: Bye Bye
Aug 8 11:48:18 traci sshd[2543]: User root from 72.11.128.61 not allowed
because
not listed in AllowUsers
Aug 8 11:48:18 traci sshd[23885]: input_userauth_request: invalid user root
Aug 8 11:48:18 traci sshd[2543]: Failed password for invalid user root from
72.11.128.61 port 42149 ssh2
Aug 8 11:48:18 traci sshd[23885]: Received disconnect from 72.11.128.61:
11: Bye Bye
Aug 8 11:48:19 traci sshd[14785]: User root from 72.11.128.61 not allowed
because
not listed in AllowUsers
Aug 8 11:48:19 traci sshd[22134]: input_userauth_request: invalid user root
Aug 8 11:48:19 traci sshd[14785]: Failed password for invalid user root from
72.11.128.61 port 42193 ssh2
Aug 8 11:48:19 traci sshd[22134]: Received disconnect from 72.11.128.61:
11: Bye Bye
Aug 8 11:48:20 traci sshd[75]: User root from 72.11.128.61 not allowed
because not
listed in AllowUsers
Aug 8 11:48:20 traci sshd[12103]: input_userauth_request: invalid user root
Aug 8 11:48:20 traci sshd[75]: Failed password for invalid user root from
72.11.128.61 port 42242 ssh2
Aug 8 11:48:20 traci sshd[12103]: Received disconnect from 72.11.128.61:
11: Bye Bye
pfctl -t DoS_hosts -T show -v
72.11.128.61
Cleared: Wed Aug 8 11:48:20 2007
In/Block: [ Packets: 6 Bytes: 240
]
In/Pass: [ Packets: 0 Bytes: 0
]
Out/Block: [ Packets: 0 Bytes: 0
]
Out/Pass: [ Packets: 0 Bytes: 0
]