Re[2]: too many illegal connection attempts through ssh
Hi Ed, Wednesday, April 13, 2005, 10:46:07 PM, you wrote these comments: Forgive the top posting (long message) ;) A quick way to make that crap go away is to run your ssh on a different port. quick, simple, effective. I used to have those brute force attacks every day and fill my logs and I would go in and create and entry that that entire Netmask in the ipfw and hosts.allow files but that got tedious real quick. Changing the port made my life easier. ssh -p 99 -l yournamehere 192.168.1.10 or, if Edwin uses pf, he can use my bruteforceblocker.pl, which is daemonized process that checks for these login attempts and ads given IPs to the pf's table. it's located at: http://danger.rulez.sk/projects/bruteforceblocker/ PS: it seems like Edwin will have to little bit adjust the regexp in my script, since my regexp checks for Failed password attempts, but to do so is trivial thing... On Wed, 2005-04-06 at 07:15 +, Edwin D. Vinas wrote: hello, shown below is snapshot of too many illegal attempts to login to my server from a suspicious hacker. this is taken from the /var/log/auth.log. my question is, how do i automatically block an IP address if it is attempting to guess my login usernames? can i configure the firewall to check the instances a certain IP has attempted to access/ssh the sevrer, and if it has failed to login for about x number of attempts, it will be blocked automatically? thank you in advance! -edwin Mar 26 05:00:00 pawikan newsyslog[11879]: logfile turned over due to size100K Mar 26 22:49:29 pawikan sshd[66637]: Illegal user test from 211.176.33.46 Mar 26 22:49:32 pawikan sshd[66639]: Illegal user guest from 211.176.33.46 Mar 26 22:49:35 pawikan sshd[66641]: Illegal user admin from 211.176.33.46 -- Best Regards, +--==/\/\==--+ (__) FreeBSD | DanGer [EMAIL PROTECTED] |\\\'',) The | [EMAIL PROTECTED] ICQ261701668 | \/ \ ^Power | http://danger.rulez.sk | .\._/_)To +--==\/\/==--+ Serve [ Oh, what is it now? Can't you leave me in Peace? - Basil Fawlty ] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re[2]: too many illegal connection attempts through ssh
On Wed, 2005-04-06 at 07:15 +, Edwin D. Vinas wrote: hello, shown below is snapshot of too many illegal attempts to login to my server from a suspicious hacker. this is taken from the /var/log/auth.log. my question is, how do i automatically block an IP address if it is attempting to guess my login usernames? can i configure the firewall to check the instances a certain IP has attempted to access/ssh the sevrer, and if it has failed to login for about x number of attempts, it will be blocked automatically? thank you in advance! -edwin Mar 26 05:00:00 pawikan newsyslog[11879]: logfile turned over ...etc. This is one of those things we all have to live with. I once had the idea to start an Open Source Project for making an administrators' tool that would work as follows. The tool would collect these records and send the information to a central server. I would be willing to donate and administer that server. The server would then track where these attacks are coming from. If it becomes apparent that the attacks are coming from a lone idiot doing one or two amateurish crack attempts, nothing further need be done. On the other hand, if it becomes apparent that the source is making repeated attacks on many machines, then a co-ordinate message would go out to all administrators using the tool. This could be automated. We could hope that many tens of thousands of BSD administrators would be using this tool (on many hundreds of thousands of BSD machines). All the machines administered by users of this tool would then launch a concerted Denial Of Service attack on the cracker address. Now, how about that? Of course, we could also try to do this nicely; for example, we could send automated notifications to the ISPs servicing the offending machines, or to ICANN, or to the police and other authorities in the countries where this kind of behavior is illegal, and so on. However, that would certainly be quite ineffective, and much less fun. Or we could combine these strategies. We could notify the ISPs that the attacks are coming from one of their clients, informing them that a Tsunami DOS shall follow if they do not put a stop to the attacks. Just an idea... Benjamin Rossen - Sounds fun but opens the door for every local user with ssh access to DOS the machine he is on. I am not that found of the idea. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
