Security blocking question
APseudoUtopia
apseudoutopia at gmail.com
Fri Oct 9 21:49:52 UTC 2009
On Fri, Oct 9, 2009 at 5:45 PM, Aflatoon Aflatooni <aaflatooni at yahoo.com> wrote:
> Hi,
> The production server that has a public IP address has SSH enabled. This server is continuously under dictionary attack:
> Oct 8 12:58:40 seven sshd[32248]: Invalid user europa from 83.65.199.91
> Oct 8 12:58:40 seven sshd[32250]: Invalid user hacked from 83.65.199.91
> Oct 8 12:58:40 seven sshd[32251]: Invalid user cop\r from 83.65.199.91
> Oct 8 12:58:41 seven sshd[32254]: Invalid user gel from 83.65.199.91
> Oct 8 12:58:41 seven sshd[32255]: Invalid user dork from 83.65.199.91
> Oct 8 12:58:41 seven sshd[32258]: Invalid user eva from 83.65.199.91
> Oct 8 12:58:41 seven sshd[32260]: Invalid user hacker from 83.65.199.91
> Oct 8 12:58:41 seven sshd[32261]: Invalid user copila\r from 83.65.199.91
> Oct 8 12:58:42 seven sshd[32265]: Invalid user dorna from 83.65.199.91
> Oct 8 12:58:42 seven sshd[32264]: Invalid user gelo from 83.65.199.91
> Oct 8 12:58:42 seven sshd[32268]: Invalid user evara from 83.65.199.91
> Oct 8 12:58:43 seven sshd[32270]: Invalid user hack from 83.65.199.91
> Oct 8 12:58:43 seven sshd[32271]: Invalid user copil\r from 83.65.199.91
> Oct 8 12:58:43 seven sshd[32274]: Invalid user Doubled from 83.65.199.91
> Oct 8 12:58:43 seven sshd[32275]: Invalid user gelos from 83.65.199.91
> Oct 8 12:58:44 seven sshd[32278]: Invalid user eve from 83.65.199.91
>
> Is there a way that I could configure the server so that if there are for example X attempts from an IP address then for the next Y hours all the SSH requests would be ignored from that IP address?
> There are only a handful of people who have access to that server.
>
> Thanks
>
I don't think OpenSSH has this feature. You would have to look to a
firewall solution for this (I recommend PF). There is also software in
the ports collection that I've heard of to help this problem. I've
never used any of them, but fail2ban seems to be a popular one.
I would also recommend using a non-standard SSH port if possible. It
would cut down on the bot spam considerably.
More information about the freebsd-questions
mailing list