machine hangs on occasion - correlated with ssh break-in
attempts
Christian Laursen
xi at borderworlds.dk
Thu Aug 21 19:58:03 UTC 2008
Mikhail Teterin <mi+mill at aldan.algebra.com> writes:
> A machine I manage remotely for a friend comes under a distributed ssh
> break-in attack every once in a while. Annoyed (and alarmed) by the
> messages like:
>
> Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from 85.234.158.180
> Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from 85.234.158.180
> Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from 85.234.158.180
> Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from 85.234.158.180
>
> I wrote an awk-script, which adds a block of the attacking IP-address
> to the ipfw-rules after three such "invalid user" attempts with:
>
> ipfw add 550 deny ip from ip
I don't know if it will make your problem go away, but using ipfw
tables for this seems to be a better idea than creating a new rule for
every IP address.
So you just need one rule:
ipfw add 550 deny ip from table(1)
And then when you want to add an IP address to the table:
ipfw table 1 add <ip>
You can add ranges too using the CIDR notation.
--
Christian Laursen
More information about the freebsd-stable
mailing list