High levels of breakin attempts

Murray Taylor murraytaylor at bytecraftsystems.com
Mon Jan 10 21:32:50 PST 2005 

> Gene wrote:
> 
> > Over the past few months there have been a remarkably high 
> level  of 
> > brute force attacks logged by sshd. I was wondering, is there a way 
> > that sshd (or some other package) can monitor login attempts and if 
> > more than say 5 or 6 attempts are made to login from a 
> particular ip 
> > address, temporarily block that address (perhaps at the firewall)? 
> > It'd be real satisfying to just dump the attackers' packets 
> to the bit 
> > bucket and slow 'em down a bit.
> 
> 
> yeah, I have experienced exactly the same thing. I think I 
> may write a 
> simple daemon perl script that watches the tail of auth.log 
> for some of 
> this crap and installs firewalls ad-hoc.
> 
> Here's a (very, very small) dump from /var/log/auth.og
> 
> Jan  8 06:11:22 fusion sshd[43967]: Failed password for root from 
> 64.246.44.130 port 54213 ssh2
> Jan  8 06:11:22 fusion sshd[43969]: Failed password for root from 
> 64.246.44.130 port 54219 ssh2
> Jan  8 06:11:22 fusion sshd[43971]: Illegal user webmaster from 
> 64.246.44.130
> Jan  8 06:11:22 fusion sshd[43973]: Illegal user data from 
> 64.246.44.130
> Jan  8 06:11:23 fusion sshd[43975]: Illegal user user from 
> 64.246.44.130
> Jan  8 06:11:23 fusion sshd[43977]: Illegal user user from 
> 64.246.44.130
> Jan  8 06:11:23 fusion sshd[43979]: Illegal user user from 
> 64.246.44.130
> Jan  8 06:11:23 fusion sshd[43981]: Illegal user web from 
> 64.246.44.130
> Jan  8 06:11:24 fusion sshd[43983]: Illegal user web from 
> 64.246.44.130
> Jan  8 06:11:24 fusion sshd[43985]: Illegal user oracle from 
> 64.246.44.130
> Jan  8 06:11:24 fusion sshd[43987]: Illegal user sybase from 
> 64.246.44.130
> Jan  8 06:11:24 fusion sshd[43989]: Illegal user master from 
> 64.246.44.130
> Jan  8 06:11:25 fusion sshd[43991]: Illegal user account from 
> 64.246.44.130
> Jan  8 06:11:25 fusion sshd[43993]: Illegal user backup from 
> 64.246.44.130
> Jan  8 06:11:25 fusion sshd[43995]: Illegal user server from 
> 64.246.44.130
> Jan  8 06:11:25 fusion sshd[43998]: Illegal user adam from 
> 64.246.44.130
> Jan  8 06:11:26 fusion sshd[44000]: Illegal user alan from 
> 64.246.44.130
> Jan  8 06:11:26 fusion sshd[44002]: Illegal user frank from 
> 64.246.44.130
> Jan  8 06:11:26 fusion sshd[44004]: Illegal user george from 
> 64.246.44.130
> Jan  8 06:11:26 fusion sshd[44006]: Illegal user henry from 
> 64.246.44.130
> Jan  8 06:11:26 fusion sshd[44008]: Failed password for john from 
> 64.246.44.130 port 54348 ssh2
> 
> Interestingly, 64.246.44.130 is within the IP range of ev1servers.net 
> which is where my BSD machine is located.
> 
> ..... FUCKERS.
> 

I havent checked forsure but could sysutils/ipa help.

it can 'open/close' firewalls upon certain limit conditions...

from the pkg_descr
-------------------------------------------------------------------
ipa(8) allows to make IP accounting (network accounting) based on
FreeBSD IPv4/v6 Firewall (including IPFW2), OpenBSD Packet Filter and
IP Filter accounting rules on FreeBSD, NetBSD and OpenBSD.

It supports limits for accounting rules and limits events as "limit is
reached", "reached limit is expired", etc. It understands time intervals
like "end of day", "end of week", "end of month", etc.

ipastat(8) is a viewer for IP accounting database made by ipa(8).
---------------------------------------------------------------------

maybe something that registers and shuts out the ungodly
anf ipa then can follow along and reopen things later....

0.02c maybe

mjt


---------------------------------------------------------------
The information transmitted in this e-mail is for the exclusive
use of the intended addressee and may contain confidential
and/or privileged material. Any review, re-transmission,
dissemination or other use of it, or the taking of any action
in reliance upon this information by persons and/or entities
other than the intended recipient is prohibited. If you
received this in error, please inform the sender and/or
addressee immediately and delete the material. 

E-mails may not be secure, may contain computer viruses and
may be corrupted in transmission. Please carefully check this
e-mail (and any attachment) accordingly. No warranties are
given and no liability is accepted for any loss or damage
caused by such matters.
---------------------------------------------------------------

***This Email has been scanned for Viruses by MailMarshal.***

More information about the freebsd-questions mailing list