increasing failed sshd logins/clearing breadcrumb trails

Glenn Sieb ges+lists at
Tue Sep 14 19:23:25 PDT 2004

John DeStefano said the following on 9/14/2004 10:15 PM:

>I've noticed a few posts over the past week or so regarding users'
>servers being probed by remote ssh attempts.  Coincidentally (or
>perhaps not so), around that time, I began getting quite a few records
>of such attempts to my server, at the rate of about 3 tries per IP, and
>about three IPs per night.  Unfortunately, last night (Mon Sep 13),
>this attack was much more concentrated and persistent: someone from (or
>spoofing from) one IP ( hammered my server with login
>attempts over a 20-minute period.  The last report I got was a final,
>failed root password at 20:22:13 Eastern Time (GMT-5:00).
I've been getting this for weeks. They're all under APNIC, and emails to 
abuse at the involved networks has gone unanswered.

The easiest way to protect this is to check your sshd_config and set:
PermitRootLogin no

Which, if you're exposed to the 'Net would be a sane practice--force 
people to log in as themselves and su (or sudo or sudoscript) to root.

Admittedly, I am not sure about the rest of your posting. When I run 
last, (on 4.10-STABLE) it shows logins back to the 1st of September.


More information about the freebsd-questions mailing list