Question about entry in auth.log

Valentin Bud valentin.bud at gmail.com
Sat Nov 15 00:07:17 PST 2008


Hello,
 I personally use key authentication along with DenyUsers and
AllowUsers directives
from sshd. One more thing i do regarding ssh brute force is to make
use of the max-src-conn and
max-src-conn-rate from pf firewall.

My auth logs look like:
Nov 14 11:15:36 xxx sshd[3570]: User root from 211.55.48.179 not
allowed because not listed in AllowUsers
Nov 14 11:15:38 xxx sshd[3572]: Invalid user admin from 211.55.48.179
Nov 14 11:15:41 xxx sshd[3574]: Invalid user test from 211.55.48.179
Nov 14 11:15:44 xxx sshd[3576]: User root from 211.55.48.179 not
allowed because not listed in AllowUsers
Nov 14 11:15:46 xxx sshd[3578]: Invalid user ghost from 211.55.48.179

Five tries from the above ip and if unsuccessful it gets overloaded in
a table and
all the states originating from that ip are killed.

All the servers i have are web/mail ones, none of them is used for
users, so i don't know if this is a good approach
but i wrote it to help make an idea about it.

a great day,
v

On Sat, Nov 15, 2008 at 5:00 AM, Lisa Casey <lisa at mail.jellico.com> wrote:
>
>
> On Fri, 14 Nov 2008, Tom Marchand wrote:
>
>> Or michael is vacationing in Romania.
>
> Very odd. Sigh, Michael is not vacationing in Romania. Doubt he's ever been
> there. I got rid of the michael account (it wasn't used anyway), and
> downloaded a new copy of chkrootkit, installed it and ran it along with
> chklastlog and chkwtmp. Nothing was found. Pehaps this was a harmless enough
> prank? Anything else I ought to look at? Fortunately the michael account did
> not have te ability to su to root.
>
> Lisa
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>


More information about the freebsd-questions mailing list