Are these attempts by password crackers??
spamrefuse at yahoo.com
Mon Oct 18 00:00:51 PDT 2004
Odhiambo Washington wrote:
> Hello users.
> I run several 5.2.1 boxes (in production).
> For weeks now, I have seen alot of notifications from periodic/daily
> with the output below and I have questions:
> 1. Is this some virus or some crackers playing around?
> 2. Why only on 5.2.1 systems and not on any of the 4.10 boxes that I
> also run?
> 3. Am I supposed to be worried at all? Well, I am not ;)
> I hate the messages though and there must be something here that I
> need to do.
> Oct 17 10:44:10 gw sshd: Failed password for nobody from 188.8.131.52 port 52215 ssh2
> Oct 17 10:44:19 gw sshd: Failed password for patrick from 184.108.40.206 port 52337 ssh2
These attackers seem to always poke at port 22 for ssh holes.
I have three ways to prevent access, from easy to more difficult setup:
1. restrict sshd access in /etc/hosts.allow, by an entry like
sshd : 220.127.116.11/255.255.0.0 : allow
[...whatever access restrictions to other services...]
ALL : ALL : deny
where 18.104.22.168/255.255.0.0 is an example of the sub-network your on.
Only IPs from this network can access your PC via ssh.
2. shift your sshd access to another port, by modifing /etc/rc.conf
but then users should be informed to do "ssh -p 4321 ...." instead.
Note: 4321 is just an example; choose your own number > 1024 here.
3. Use a firewall, that allows access via port 22 only for restricted IPs,
but the other sshd port for the whole world.
sshd_flags="-p 22 -p 4321"
And for example with ipfw:
allow tcp from any to me 4321 in via rl0 setup
allow tcp from 22.214.171.124/16 to me ssh in via rl0 setup
(replace "rl0" by your own device).
I am using (3) and the sshd attacks have dropped to zero.
More information about the freebsd-questions