Please Help! How to STOP them...

Erik Norgaard norgaard at locolomo.org
Sun Jan 14 15:15:43 UTC 2007 

VeeJay wrote:
> I am reading many hundred lines similar to below mentioned?
> 
> Could you please advise me what to do and how can I make my box more secure?
> 
> Jan  9 17:54:42 localhost sshd[5130]: reverse mapping checking getaddrinfo
> for bbs-83-179.189.218.on-nets.com [218.189.179.83] failed - POSSIBLE
> BREAK-IN ATTEMPT!
> Jan  9 17:54:42 localhost sshd[5130]: Invalid user sysadmin from
> 218.189.179.83
> 

Please, this is possibly the most frequently asked question not in the 
FAQ. Understand that whenever you make a service available on the 
internet, someone is going to try to break in. Be it ssh, smtp, dns, 
http etc. What you need to learn is to identify which attacks constitute 
a real threat to your system.

The first log entry is no sign of break in attempt. Just because a DNS 
server is misconfigured doesn't mean that people are trying to attack you.

The second line is evidence that some illicit events are recorded. But, 
there is no reason to worry about these if you have properly configured 
your box. Please search the archives for ssh brute force - this topic 
has been discussed a zillion times.

Some mention port knocking. This doesn't make people stop trying to get 
into your box. It introduces an extra hazle to do so as you first have 
to knock on the port a secret (but shared secret) sequence. Then you 
will authenticate as previously.

If you are troubled with messages in your log, there are plenty of 
ordinary things you can do:

- enforce key authentication
- restrict access to certain users or groups of users
- deny direct access as root
- enforce strong passwords, if you can't enforce key authentication
- limit the ip address space that is allowed to connect, to the space
   where you or your users are likely to be
- limit the number of simultaneous unauthenticated connections

Cheers, Erik
-- 
Ph: +34.666334818                      web: http://www.locolomo.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3408 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20070114/7b54f564/smime.bin

More information about the freebsd-questions mailing list