sshd break-in attempt
Per olof Ljungmark
peo at intersonic.se
Tue Jan 2 06:40:05 PST 2007
Nathan Vidican wrote:
> We keep getting attempts from what look like a username/password scanner
> utility to login to our servers externally via sshd. Thankfully, we're
> not ignorant enough to leave common account names open, however it is
> annoying to say the least. We're getting things like this:
>
> Jan 1 09:07:34 fw sshd[66547]: Invalid user staff from 208.44.210.15
> Jan 1 09:07:35 fw sshd[66549]: Invalid user sales from 208.44.210.15
> Jan 1 09:07:36 fw sshd[66551]: Invalid user recruit from 208.44.210.15
> Jan 1 09:07:37 fw sshd[66553]: Invalid user alias from 208.44.210.15
> Jan 1 09:07:38 fw sshd[66555]: Invalid user office from 208.44.210.15
> Jan 1 09:07:38 fw sshd[66557]: Invalid user samba from 208.44.210.15
> Jan 1 09:07:39 fw sshd[66559]: Invalid user tomcat from 208.44.210.15
> Jan 1 09:07:40 fw sshd[66561]: Invalid user webadmin from 208.44.210.15
> Jan 1 09:07:41 fw sshd[66563]: Invalid user spam from 208.44.210.15
> Jan 1 09:07:42 fw sshd[66565]: Invalid user virus from 208.44.210.15
> Jan 1 09:07:43 fw sshd[66567]: Invalid user cyrus from 208.44.210.15
> Jan 1 09:07:43 fw sshd[66569]: Invalid user staff from 208.44.210.15
> Jan 1 09:07:44 fw sshd[66571]: Invalid user oracle from 208.44.210.15
>
> In our 'periodic daily' report/email, (only the list goes on for
> hundreds of attempts). Anyhow, long story short; is there not an easy
> way to make sshd block or deny hosts temporarily if X number of invalid
> login attempts are made within a minute's time? Must I use an external
> wrapper to accomplish this, or can it be done with options to sshd on
> it's own?
There are several ways to block the attacks, one pointed out by first
respondent, we use Denyhosts and sshblock here.
Google should point you several others.
http://www.google.se/search?hl=en&q=ssh+attacks&btnG=Google+Search
More information about the freebsd-questions
mailing list