Re: Blocking SSH Brute-Force Attacks: What Am I Doing Wrong? (Solved!)
After instrumenting 'bruteblock' (and accidentally causing auth.log to explode), I discovered that the ssh.conf file that ships with it won't work on FreeBSD 6.1 (or at least my copy of it). The shipped regexp looks for "illegal" users. But 'sshd' on FreeBSD 6.1 records login attempts of "invalid" users. The patch appended below got it to work on my system. My thanks to everyone who chimed in with suggestions. They were greatly appreciated. Schwab --- ssh.conf.dist Mon Oct 30 21:17:34 2006 +++ ssh.confWed Nov 15 00:20:29 2006 @@ -6,16 +6,16 @@ # this regexp for the OpenSSH server matches lines like: # # comment: auth via key only -#sshd[72593]: Illegal user hacker from 1.2.3.4 +#sshd[72593]: Invalid user hacker from 1.2.3.4 # # comment: pwd auth, but no such user -#sshd[72593]: Failed password for illegal user sa from 1.2.3.4 +#sshd[72593]: Failed password for invalid user sa from 1.2.3.4 # # comment: correct user, but wrong password #sshd[72626]: Failed password for samm from 1.2.3.4 # -regexp = sshd.*Illegal user \S+ from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) -regexp1= sshd.*Failed password for (?:illegal user )?\S+ from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) +regexp = sshd.*Invalid user \S+ from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) +regexp1= sshd.*Failed password for (?:invalid user )?\S+ from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) # Number of failed login attempts within time before we block max_count = 4 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Blocking SSH Brute-Force Attacks: What Am I Doing Wrong?
Peter N. M. Hansteen wrote: Erik Norgaard <[EMAIL PROTECTED]> writes: Honestly, I wouldn't worry about it: review your config and make some simple choices to reduce the noise, see this article: One other noise reduction method which is really easy to implement is to use pf and write arule set which to uses the overload feature, see eg http://home.nuug.no/~peter/pf/en/bruteforce.html (part of my EuroBSDCon and other places tutorial). See http://home.nuug.no/~peter/pf/ for a choice of formats and languages. Neat! Thanks, Erik -- Ph: +34.666334818 web: http://www.locolomo.org X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Blocking SSH Brute-Force Attacks: What Am I Doing Wrong?
Erik Norgaard wrote: Leo L. Schwab wrote: On Mon, Nov 13, 2006 at 09:16:35PM +0100, Erik Norgaard wrote: Honestly, I wouldn't worry about it: review your config and make some simple choices to reduce the noise, see this article: http://www.securityfocus.com/infocus/1876 But I rather thought that was the point of 'bruteblock' -- it reduces the noise by blackholing the offending IPs for an hour or so. This blackholing doesn't appear to be happening, and I don't understand why. Could it be a permission problem -- syslog doesn't have permission to change the firewall rules? I wouldn't worry about "bruteblock" - try create a perl script and see if you can see a system in the attacks: Do the same host come back? If so does it continue from where it left? The annoyance of these brute force attacks is that your log is larger that it would be without them. That is unless ofcourse you have made yourself vulnerable! - do you use bad passwords? - do you allow root login? - have you disabled system accounts? If the answers are no, no and yes, then you can largely ignore. For more on this - read the linked article, read the old thread. Cheers, Erik jumping into this thread late, but denyhosts works great and also does a distributed thing where, if you opt in, you can get updates from other people who run denyhosts. These are then added to your deny list and if your box is scanned the attempts will be blocked. think if it like a spamhaus list for SSH brute force attacks. it works well. in short: 1. use denyhosts 2. do not use password based authentication for ssh. rather, use keys that are password protected 3. never allow root ssh logins and everything should be swell Eric ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Blocking SSH Brute-Force Attacks: What Am I Doing Wrong?
Leo L. Schwab wrote: On Mon, Nov 13, 2006 at 09:16:35PM +0100, Erik Norgaard wrote: Honestly, I wouldn't worry about it: review your config and make some simple choices to reduce the noise, see this article: http://www.securityfocus.com/infocus/1876 But I rather thought that was the point of 'bruteblock' -- it reduces the noise by blackholing the offending IPs for an hour or so. This blackholing doesn't appear to be happening, and I don't understand why. Could it be a permission problem -- syslog doesn't have permission to change the firewall rules? I wouldn't worry about "bruteblock" - try create a perl script and see if you can see a system in the attacks: Do the same host come back? If so does it continue from where it left? The annoyance of these brute force attacks is that your log is larger that it would be without them. That is unless ofcourse you have made yourself vulnerable! - do you use bad passwords? - do you allow root login? - have you disabled system accounts? If the answers are no, no and yes, then you can largely ignore. For more on this - read the linked article, read the old thread. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Blocking SSH Brute-Force Attacks: What Am I Doing Wrong?
On Mon, Nov 13, 2006 at 10:10:58AM +0100, Frank Staals wrote: > I had the same 'problem'. As said it's not realy a problem since FreeBSD > will hold just fine if you don't have any rather stupid user + pass > combinations. While FreeBSD and OpenSSH are very good, I'm not prepared to rely solely on that. I'd also prefer that the script kiddies not consume my gaming bandwidth by trying to crack my box, so best to just block them at the firewall and make them go somewhere else. Schwab ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Blocking SSH Brute-Force Attacks: What Am I Doing Wrong?
On Mon, Nov 13, 2006 at 09:16:35PM +0100, Erik Norgaard wrote: > Honestly, I wouldn't worry about it: review your config and make some > simple choices to reduce the noise, see this article: > > http://www.securityfocus.com/infocus/1876 > But I rather thought that was the point of 'bruteblock' -- it reduces the noise by blackholing the offending IPs for an hour or so. This blackholing doesn't appear to be happening, and I don't understand why. Could it be a permission problem -- syslog doesn't have permission to change the firewall rules? Schwab ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Blocking SSH Brute-Force Attacks: What Am I Doing Wrong?
Erik Norgaard <[EMAIL PROTECTED]> writes: > Honestly, I wouldn't worry about it: review your config and make some > simple choices to reduce the noise, see this article: One other noise reduction method which is really easy to implement is to use pf and write arule set which to uses the overload feature, see eg http://home.nuug.no/~peter/pf/en/bruteforce.html (part of my EuroBSDCon and other places tutorial). See http://home.nuug.no/~peter/pf/ for a choice of formats and languages. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales" 20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Blocking SSH Brute-Force Attacks: What Am I Doing Wrong?
On Mon, Nov 13, 2006 at 12:19:27PM +0600, Bachilo Dmitry wrote: > ? ? ?? ??? 13 ?? 2006 12:05 Leo L. Schwab ???(a): > > I recently installed FreeBSD 6.1 on my gateway. It replaced an > > installation of FreeBSD 4.6.8 (fresh install, not an upgrade) on which I > > had disabled the SSH server. Since all the bugs in SSH are fixed now ( :-) > > ), I thought I'd leave the server on, and am somewhat dismayed to discover > > that I now get occasional brute-force/dictionary attacks on the port. > > > > A little Googling revealed a couple of potentially useful tools: > > 'sshit' and 'bruteblock', both of which notice repeated login attempts from > > a given IP address and blackhole it in the firewall. I first tried > > 'sshit', but after a couple days, I noticed in my daily reports that I was > > still getting lengthy bruteforce attempts, suggesting the 'sshit' was not > > working. > > > > So I uninstalled 'sshit' and installed 'bruteblock'. But again a > > couple days later, the logs showed lengthy bruteforce attempts going > > unblocked. > > > > The relevant lines from my /etc/syslog.conf file are: > > > > > > auth.info;authpriv.info /var/log/auth.log > > auth.info;authpriv.info | exec /usr/local/sbin/bruteblock -f > > /usr/local/etc/bruteblock/ssh.conf > > > > Any hints as to what I might be doing wrong? > > > > Thanks, > > Schwab > > ___ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to > > "[EMAIL PROTECTED]" > > Why don't you just relax? :-) All my FreeBSD servers are bruteforced every > second. So what? Now, granted this was with FreeBSD 6.0, but I've had systems panic when they got flooded with FTP attempts. No problem yet with sshd, but I'd deny password based authentication and stick to public key authentication with passphrases. -Damian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Blocking SSH Brute-Force Attacks: What Am I Doing Wrong?
Leo L. Schwab wrote: I recently installed FreeBSD 6.1 on my gateway. It replaced an installation of FreeBSD 4.6.8 (fresh install, not an upgrade) on which I had disabled the SSH server. Since all the bugs in SSH are fixed now ( :-) ), I thought I'd leave the server on, and am somewhat dismayed to discover that I now get occasional brute-force/dictionary attacks on the port. Whichever service you have running, if you look in the log you will find attempts of attack, ssh is no different, it's a target. Honestly, I wouldn't worry about it: review your config and make some simple choices to reduce the noise, see this article: http://www.securityfocus.com/infocus/1876 Rather than reposting myself - this issue is regularly debated, I think last time (or last time I participated) was debated 19-09-2006. Check the archive. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Blocking SSH Brute-Force Attacks: What Am I Doing Wrong?
On Monday 13 November 2006 10:11, Frank Staals wrote: > The point is it isn't security through obscurity: as allready pointed > out, FreeBSD & sshd can withstand those brute force attacks without much > of a problem so there is no security problem, the only thing is those > brute force attacks are anoying since they cloud authd.log If those > attacks WERE a problem, or if there was a system which you could log in > without user & pass if you would find out the correct port then, but > only then, it is a bad idea Given enough time, every user/password combination can be broken. Perhaps not in your lifetime, but it is still a real possibility. Given the relative ease of setting up keys and simply dispersing with user/passwords all together, I fail to see why more users do not avail themselves of this avenue of security. Then again, I don't know how San Diego came back to beat Cincinnati yesterday either. Anyway, each to his own! -- Gerard A word to the wise is often enough to start an argument. pgpbcMcYGCYZG.pgp Description: PGP signature
Re: Blocking SSH Brute-Force Attacks: What Am I Doing Wrong?
Gerard Seibert wrote: On Monday November 13, 2006 at 04:10:58 (AM) Frank Staals wrote: I had the same 'problem'. As said it's not realy a problem since FreeBSD will hold just fine if you don't have any rather stupid user + pass combinations. ( test test or something like that ) Allthough I thought it was annoying that my intire log was clouded with those brute force attacks so I just set sshd to listen at an other port then 22. Maybe that's a acceptable solusion for you ? You can change the ssd port in /etc/ssh/sshd_config Security through obscurity is a bad idea. Rather, use SSH key based authentication exclusively. Turn off all of the password stuff in sshd_config. Laugh at the poor fools trying to break in. The point is it isn't security through obscurity: as allready pointed out, FreeBSD & sshd can withstand those brute force attacks without much of a problem so there is no security problem, the only thing is those brute force attacks are anoying since they cloud authd.log If those attacks WERE a problem, or if there was a system which you could log in without user & pass if you would find out the correct port then, but only then, it is a bad idea -- -Frank Staals ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Blocking SSH Brute-Force Attacks: What Am I Doing Wrong?
Quoting Andy Greenwood <[EMAIL PROTECTED]>: On 11/13/06, Gerard Seibert <[EMAIL PROTECTED]> wrote: On Monday November 13, 2006 at 04:10:58 (AM) Frank Staals wrote: I had the same 'problem'. As said it's not realy a problem since FreeBSD will hold just fine if you don't have any rather stupid user + pass combinations. ( test test or something like that ) Allthough I thought it was annoying that my intire log was clouded with those brute force attacks so I just set sshd to listen at an other port then 22. Maybe that's a acceptable solusion for you ? You can change the ssd port in /etc/ssh/sshd_config Security through obscurity is a bad idea. Rather, use SSH key based authentication exclusively. Turn off all of the password stuff in sshd_config. Laugh at the poor fools trying to break in. I second this notion. I had bruteforceblocker running and recently switched to key based auth only. The good news is no one is breaking in. the bad news is that my server is remote and difficult to get physical access to and the only key I uploaded initially was my work PC. Tried to get in from home over the weekend and found that I had locked myself out! doh! Just make sure that you have at least one PC you can get to from anywhere which has a key to get into your server. If you are using pf. A quick google search give you several differing versions of what I am using on the servers that I maintain. http://www.google.com.mx/search?hl=es&q=%2Bmax-src-conn-rate+%2Bpf+brute+force&btnG=B%C3%BAsqueda+en+Google&meta= They are all max-src-conn-rate based and use the sysutils/expiretable port to clear the blocked IP's. An example that I haven't read is here: http://johan.fredin.info/openbsd/block_ssh_bruteforce.html I just took one and tweaked it over time and it works great. I only allow 3 login attempts in 30 minutes, so the brute who is trying to force his way in had better be a very good guesser;) I did a bit of restricting in sshd_config also but only remember MaxAuthTries, An unexpected side effect of this is that now I get only one or two attempts a day and before there were multiple, simultaneous attempts 24 horas a day. In my daily security report I see something like todays, everyday. Nov 12 10:22:15 HOME sshd[82578]: Invalid user staff from 203.152.218.209 Nov 12 10:22:22 HOME sshd[83191]: Invalid user sales from 203.152.218.209 Nov 12 10:22:29 HOME sshd[83489]: Invalid user recruit from 203.152.218.209 Nov 12 12:47:10 HOME sshd[18369]: Invalid user staff from 24.11.169.203 Nov 12 12:47:12 HOME sshd[18421]: Invalid user sales from 24.11.169.203 Nov 12 12:47:15 HOME sshd[18425]: Invalid user recruit from 24.11.169.203 Before there were pages and pages. If you aren't using PF there may be something similar to max-src-conn-rate in your firewall, if not, you may want to convert ;) Good luck, ed -- Gerard Mail from '@gmail' is rejected and/or discarded here. Don't waste your time! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" -- I'm nerdy in the extreme and whiter than sour cream ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Blocking SSH Brute-Force Attacks: What Am I Doing Wrong?
On 11/13/06, Gerard Seibert <[EMAIL PROTECTED]> wrote: On Monday November 13, 2006 at 04:10:58 (AM) Frank Staals wrote: > I had the same 'problem'. As said it's not realy a problem since FreeBSD > will hold just fine if you don't have any rather stupid user + pass > combinations. ( test test or something like that ) Allthough I thought > it was annoying that my intire log was clouded with those brute force > attacks so I just set sshd to listen at an other port then 22. Maybe > that's a acceptable solusion for you ? You can change the ssd port in > /etc/ssh/sshd_config Security through obscurity is a bad idea. Rather, use SSH key based authentication exclusively. Turn off all of the password stuff in sshd_config. Laugh at the poor fools trying to break in. I second this notion. I had bruteforceblocker running and recently switched to key based auth only. The good news is no one is breaking in. the bad news is that my server is remote and difficult to get physical access to and the only key I uploaded initially was my work PC. Tried to get in from home over the weekend and found that I had locked myself out! doh! Just make sure that you have at least one PC you can get to from anywhere which has a key to get into your server. -- Gerard Mail from '@gmail' is rejected and/or discarded here. Don't waste your time! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" -- I'm nerdy in the extreme and whiter than sour cream ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Blocking SSH Brute-Force Attacks: What Am I Doing Wrong?
Hello ALL! You just must use the utility 'DenyHosts', and all Your problems will be solved! DenyHosts the remarkable utility! It's protects only service ssh, and anything more. It is easy in adjustments and very effective in work. You can find this utility in a collection of ports. http://denyhosts.net/ Best regards, Masyukevich Maksim SPIRIT DSP, www.spiritDSP.com/voip, Embedded Voice Experience SeeStorm, www.SeeStorm.com, Synthetic Video Conferencing TeamSpirit - Award-Winning Multi-Point Voice Conferencing Engine -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Leo L. Schwab Sent: Monday, November 13, 2006 9:05 AM To: freebsd-questions@freebsd.org Subject: Blocking SSH Brute-Force Attacks: What Am I Doing Wrong? I recently installed FreeBSD 6.1 on my gateway. It replaced an installation of FreeBSD 4.6.8 (fresh install, not an upgrade) on which I had disabled the SSH server. Since all the bugs in SSH are fixed now ( :-) ), I thought I'd leave the server on, and am somewhat dismayed to discover that I now get occasional brute-force/dictionary attacks on the port. A little Googling revealed a couple of potentially useful tools: 'sshit' and 'bruteblock', both of which notice repeated login attempts from a given IP address and blackhole it in the firewall. I first tried 'sshit', but after a couple days, I noticed in my daily reports that I was still getting lengthy bruteforce attempts, suggesting the 'sshit' was not working. So I uninstalled 'sshit' and installed 'bruteblock'. But again a couple days later, the logs showed lengthy bruteforce attempts going unblocked. The relevant lines from my /etc/syslog.conf file are: auth.info;authpriv.info /var/log/auth.log auth.info;authpriv.info | exec /usr/local/sbin/bruteblock -f /usr/local/etc/bruteblock/ssh.conf Any hints as to what I might be doing wrong? Thanks, Schwab ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Blocking SSH Brute-Force Attacks: What Am I Doing Wrong?
On Monday November 13, 2006 at 04:10:58 (AM) Frank Staals wrote: > I had the same 'problem'. As said it's not realy a problem since FreeBSD > will hold just fine if you don't have any rather stupid user + pass > combinations. ( test test or something like that ) Allthough I thought > it was annoying that my intire log was clouded with those brute force > attacks so I just set sshd to listen at an other port then 22. Maybe > that's a acceptable solusion for you ? You can change the ssd port in > /etc/ssh/sshd_config Security through obscurity is a bad idea. Rather, use SSH key based authentication exclusively. Turn off all of the password stuff in sshd_config. Laugh at the poor fools trying to break in. -- Gerard Mail from '@gmail' is rejected and/or discarded here. Don't waste your time! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Blocking SSH Brute-Force Attacks: What Am I Doing Wrong?
Leo L. Schwab wrote: I recently installed FreeBSD 6.1 on my gateway. It replaced an installation of FreeBSD 4.6.8 (fresh install, not an upgrade) on which I had disabled the SSH server. Since all the bugs in SSH are fixed now ( :-) ), I thought I'd leave the server on, and am somewhat dismayed to discover that I now get occasional brute-force/dictionary attacks on the port. A little Googling revealed a couple of potentially useful tools: 'sshit' and 'bruteblock', both of which notice repeated login attempts from a given IP address and blackhole it in the firewall. I first tried 'sshit', but after a couple days, I noticed in my daily reports that I was still getting lengthy bruteforce attempts, suggesting the 'sshit' was not working. So I uninstalled 'sshit' and installed 'bruteblock'. But again a couple days later, the logs showed lengthy bruteforce attempts going unblocked. The relevant lines from my /etc/syslog.conf file are: auth.info;authpriv.info /var/log/auth.log auth.info;authpriv.info | exec /usr/local/sbin/bruteblock -f /usr/local/etc/bruteblock/ssh.conf Any hints as to what I might be doing wrong? Thanks, Schwab ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" I had the same 'problem'. As said it's not realy a problem since FreeBSD will hold just fine if you don't have any rather stupid user + pass combinations. ( test test or something like that ) Allthough I thought it was annoying that my intire log was clouded with those brute force attacks so I just set sshd to listen at an other port then 22. Maybe that's a acceptable solusion for you ? You can change the ssd port in /etc/ssh/sshd_config Good luck, -- -Frank Staals ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Blocking SSH Brute-Force Attacks: What Am I Doing Wrong?
В сообщении от Понедельник 13 ноября 2006 12:05 Leo L. Schwab написал(a): > I recently installed FreeBSD 6.1 on my gateway. It replaced an > installation of FreeBSD 4.6.8 (fresh install, not an upgrade) on which I > had disabled the SSH server. Since all the bugs in SSH are fixed now ( :-) > ), I thought I'd leave the server on, and am somewhat dismayed to discover > that I now get occasional brute-force/dictionary attacks on the port. > > A little Googling revealed a couple of potentially useful tools: > 'sshit' and 'bruteblock', both of which notice repeated login attempts from > a given IP address and blackhole it in the firewall. I first tried > 'sshit', but after a couple days, I noticed in my daily reports that I was > still getting lengthy bruteforce attempts, suggesting the 'sshit' was not > working. > > So I uninstalled 'sshit' and installed 'bruteblock'. But again a > couple days later, the logs showed lengthy bruteforce attempts going > unblocked. > > The relevant lines from my /etc/syslog.conf file are: > > > auth.info;authpriv.info /var/log/auth.log > auth.info;authpriv.info | exec /usr/local/sbin/bruteblock -f > /usr/local/etc/bruteblock/ssh.conf > > Any hints as to what I might be doing wrong? > > Thanks, > Schwab > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" Why don't you just relax? :-) All my FreeBSD servers are bruteforced every second. So what? -- С уважением, Бачило Дмитрий Best Regards, Bachilo Dmitry ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"