Illegal access attempt - FreeBSD 5.4 Release - please advise

Bob Johnson fbsdlists at
Wed Aug 24 20:24:39 GMT 2005

On 8/24/05, ro ro <ricking505 at> wrote:
> Hi All,
> I was browsing through my log files and noticed that
> someone (or many people) is trying to gain illegal
> access to my server (see snippet from log files
> below).
> The below log file clearly indicates someone trying to
> hackaway at my personal server.
> I performed the following steps: 
> nmap -v

I recommend that you not make a habit of this.  It will eventually
result in a complaint to your ISP that you were attacking the system
you scanned.

Use dig to get a clue about who owns the network that is attacking you:

$ dig -x 
;    IN      PTR

;; AUTHORITY SECTION: 10800   IN      SOA 200109270110800 3600 604800 86400

There is no PTR info, but the attack is coming from a network
controlled by (the SOA).  Sending a complaint to them
might be effective.  You can use whois to try to figure out where to
mail the complaint, but it is easier to use
( to send a complaint: you email the complaint to, and they forward it to the correct address, so you don't
have to spend a lot of time figuring out where to send it.

> When I saw the logs for the first time. I took the
> following steps: 
> 1) AllowUsers in sshd contained only users that I
> wanted to have access to my ssh 
> 2) Created a decent rulest within ipfw that permitted
> incoming access to only two ports ssh and http
> I took the issue of creating a good firewall quite
> lightly and now I regret that decision.. now I have
> learnt... Can someone provide me with guidance on this
> issue and advise me on next steps to take action
> against such losers. 

Get used to it.  Seriously.  

The log you show appears to be an automated attack.  You can expect a
steady stream of them, mostly from worms (which I think is the case
here), viruses, and zombie networks.  Keep your system updated (use
freebsd-update and portaudit), use appropriate firewall rules, and you
shouldn't have a problem.

> Aug 11 20:16:10 free sshd[21585]: Illegal user test
> from
> Aug 11 20:16:12 free sshd[21587]: Illegal user guest
> from
> Aug 11 20:16:14 free sshd[21589]: Illegal user admin
> from
> Aug 11 20:16:16 free sshd[21591]: Illegal user admin
> from
> Aug 11 20:16:23 free sshd[21593]: Illegal user user
> from
> Aug 11 20:16:32 free sshd[21601]: Illegal user test
> from

This particular attack is using a much smaller set of userIDs than
some.  I had one last night that was hitting hundreds of them.  I sent
a complaint to the ISP (via, and about ten minutes later it
quit.  I don't know if it was because of the complaint, or if it just
ran out of names to try, but it was gratifying just the same.

- Bob

More information about the freebsd-questions mailing list