too many illegal connection attempts through ssh
Philip Hallstrom
freebsd at philip.pjkh.com
Wed Apr 6 09:30:53 PDT 2005
>>>> shown below is snapshot of too many illegal attempts to login to
>>>> my server from a suspicious hacker. this is taken from the
>>>> "/var/log/auth.log". my question is, how do i automatically block
>>>> an IP address if it is attempting to guess my login usernames?
>>>> can i configure the firewall to check the instances a certain IP
>>>> has attempted to access/ssh the sevrer, and if it has failed to
>>>> login for about "x" number of attempts, it will be blocked
>>>> automatically?
>>>
>>> This question is asked on the list ever so often - see the archives
>>> for suggestions. These are automated attacks, they come regularly
>>> as crackers, black hats or script kidies scan across the net.
>>
>> Does anybody know what robots beeing used? And on what systems? All
>> you mention later in your posting is true of course and I needn't
>> care about these logs, but it's like like somebody unknown puts 10
>> flyers in your letterbox every night. I'm sure, one night you'll hide
>> and build a trap for that person. I'm too lazy to enter those
>> net-circles for finding these robots, but maybe some other has
>> already done that?
I haven't done that, but if you don't like them you can block them fairly
easily... I wrote a little script in PHP (not that it would be hard to
re-write in perl or whatever) that watches /var/log/auth.log and if it
sees an invalid login, it adds a firewall rule to block that IP.
Then I've got a separate cronjob that removes those firewall rules a
couple minutes later.
Yes, I have locked myself out of my own server when I mistype my password,
but I just wait a minute and it lets me back in.
I thought about modifying it so instead of outright blocking it, it put
it into a pipe that limited it's bandwidth to almost nil just to hold the
thing up a bit, but this works for me..
http://www.pjkh.com/sshmonitor/
-philip
More information about the freebsd-questions
mailing list