Illegal access attempt - FreeBSD 5.4 Release - please advise

nawcom nawcom at nawcom.no-ip.com
Sat Aug 27 23:59:27 GMT 2005


I also get a large amount of atttacks via ssh, i decided that the people 
who have access to my server (only 12) know what their usernames are. my 
decision was to set up a swatch script to monitor the types of errors 
that are picked up in the logs:

-if the attempt was with a username that doesnt exist - i add the ip to 
a db of banned ips and flush and restart ipfw

-if it is from a username that does exist - i give the person 5 tries, 
if by the 5th try they cant get in, i add the ip to the db as stated above.

it sounds pretty harsh, but it definetely stops those idiots. ive got a 
large list of ips, and from nmapping them most are from people running 
entry level linux distros with many holes in their security setup. i 
could get revenge, but not worth it.

if anyone is curious about the script let me know,
Ben


Maarten Sanders wrote:

>On Thu, 2005-08-25 at 07:22 -0400, Lee Capps wrote:
>  
>
>>On 11:18 Wed 24 Aug     , Chris St Denis wrote:
>>    
>>
>>>How can I easily auto deny after x failed attempts? Is this an sshd setting?
>>>I could find it.
>>>
>>>Is there something in ports that will firewall off somebody who is brute
>>>forcing?
>>>      
>>>
>>In addition to adding entries to /etc/hosts.allow you could try
>>DenyHosts:
>>
>>http://denyhosts.sourceforge.net/
>>
>>I didn't find a port, but it works with FreeBSD and isn't too onerous to
>>install.
>>
>>HTH,
>>
>>Lee
>>_______________________________________________
>>freebsd-questions at freebsd.org mailing list
>>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>>
>>    
>>
>Nice suggestion, but how do I enable tcp_wrappers with sshd?
>
>See : http://denyhosts.sourceforge.net/ssh_config.html 
>I tried adding 
>
>sshd: 127.0.0.1 : deny to /etc/hosts.allow but I failed the described
>test. 
>
>Maarten
>
>
>_______________________________________________
>freebsd-questions at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>  
>



More information about the freebsd-questions mailing list