Attacks on ssh port
David D.W. Downey
david.downey at gmail.com
Sat Sep 18 10:30:28 PDT 2004
On Sat, 18 Sep 2004 14:18:32 +0200, Willem Jan Withagen <wjw at withagen.nl> wrote:
> Hi,
>
> Is there a security problem with ssh that I've missed???
> Ik keep getting these hords of:
> Failed password for root from 69.242.5.195 port 39239 ssh2
> with all kinds of different source addresses.
>
> They have a shot or 15 and then they are of again, but a little later on
> they're back and keep clogging my logs.
> Is there a "easy" way of getting these ip-numbers added to the
> blocking-list of ipfw??
>
> Thanx,
> --WjW
well you want to see those. So long as you have
PermitRootLogin no
in your /etc/ssh/sshd_config, they won't be able to get in since ssh
is then denied for root (except via a valid ssh key which you can
further lock down by adding
from="ip.addr, forward.dns.record.of.host"
to the beginning of your ssh-dsa or ssh-rsa key line in ~/.ssh/authorized_keys)
A better solution to the verbosity level would probably be to change
your kernel config to have something like
options IPFIREWALL_VERBOSE_LIMIT=3
or using the sysctl.conf oid
net.inet.ip.fw.verbose_limit=3
Then you can still see the attempts (and thus log the IP information
for contacting the abuse@ for the responsible IP controller) while
limiting your log sizes.
--
David D.W. Downey
More information about the freebsd-security
mailing list