Hello!
A machine I manage remotely for a friend comes under a distributed ssh
break-in attack every once in a while. Annoyed (and alarmed) by the
messages like:
Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180
Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv
Should you want to continue with your own tool, at least for IPv4,
consider using tables rather than a raft of rules. With tables, you need
only a single rule and it is there at boot time.
Also, you might want to consider switching to pf
which this functionality built-in.
Jan
Jeremy Chadwick написав(ла):
The above looks like sshguard.
Yes, several people have pointed this out. Thanks!
I've personally never trusted something that *automatically* adjusts firewall
rules based on data read from text
logs or packets coming in off the Internet. The risks involved are
On Thu, Aug 21, 2008 at 10:10:42PM +0200, Rink Springer wrote:
On Thu, Aug 21, 2008 at 01:03:09PM -0700, Jeremy Chadwick wrote:
Finally, consider moving to pf instead, if you really feel ipfw is
what's causing your machine to crash. You might be pleasantly surprised
by the syntax, and
I do something related to this with fwlogwatch although it can probably
be adapted to any similar tool; when I hit the 'block' threshold, I
execute something like:
#!/bin/sh
HR=`date +%-k`
/sbin/ipfw table 0 add $3 ${HR}
.. so each entry has a tag indicating the hour at which the block was
Mikhail Teterin pisze:
Hello!
A machine I manage remotely for a friend comes under a distributed ssh
break-in attack every once in a while. Annoyed (and alarmed) by the
messages like:
Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180
Aug 12 10:21:18 symbion
Ross Wheeler написав(ла):
I overcame these conflicting requirements with a 2-step process. They
authorised user first browsed to a website which asked their
username and password. When entered correctly, it opened a hole in the
firewall to allow that IP to their network. A timer ran every 15
On Thu, 21 Aug 2008, Mikhail Teterin wrote:
Surely you don't have that many users who SSH into the NAT router from
random public IPs all over the world, rather than via the LAN? Surely
if you yourself often SSH into your NAT router from a Blackberry device,
that you wouldn't have much of a
There are many excellent suggestions on how to deal with invalid/unauthorised
access attempts via ssh. I'd used sshguard for around 8 months but recently
changed to bruteblock, both are in the ports/security. sshguard was very easy
to configure, via rc.conf arguments. Bruteblock handled