High levels of breakin attempts

Tom Vilot tom at vilot.com
Mon Jan 10 21:23:14 PST 2005 

Gene wrote:

> Over the past few months there have been a remarkably high level  of 
> brute force attacks logged by sshd. I was wondering, is there a way 
> that sshd (or some other package) can monitor login attempts and if 
> more than say 5 or 6 attempts are made to login from a particular ip 
> address, temporarily block that address (perhaps at the firewall)? 
> It'd be real satisfying to just dump the attackers' packets to the bit 
> bucket and slow 'em down a bit.


yeah, I have experienced exactly the same thing. I think I may write a 
simple daemon perl script that watches the tail of auth.log for some of 
this crap and installs firewalls ad-hoc.

Here's a (very, very small) dump from /var/log/auth.og

Jan  8 06:11:22 fusion sshd[43967]: Failed password for root from 
64.246.44.130 port 54213 ssh2
Jan  8 06:11:22 fusion sshd[43969]: Failed password for root from 
64.246.44.130 port 54219 ssh2
Jan  8 06:11:22 fusion sshd[43971]: Illegal user webmaster from 
64.246.44.130
Jan  8 06:11:22 fusion sshd[43973]: Illegal user data from 64.246.44.130
Jan  8 06:11:23 fusion sshd[43975]: Illegal user user from 64.246.44.130
Jan  8 06:11:23 fusion sshd[43977]: Illegal user user from 64.246.44.130
Jan  8 06:11:23 fusion sshd[43979]: Illegal user user from 64.246.44.130
Jan  8 06:11:23 fusion sshd[43981]: Illegal user web from 64.246.44.130
Jan  8 06:11:24 fusion sshd[43983]: Illegal user web from 64.246.44.130
Jan  8 06:11:24 fusion sshd[43985]: Illegal user oracle from 64.246.44.130
Jan  8 06:11:24 fusion sshd[43987]: Illegal user sybase from 64.246.44.130
Jan  8 06:11:24 fusion sshd[43989]: Illegal user master from 64.246.44.130
Jan  8 06:11:25 fusion sshd[43991]: Illegal user account from 64.246.44.130
Jan  8 06:11:25 fusion sshd[43993]: Illegal user backup from 64.246.44.130
Jan  8 06:11:25 fusion sshd[43995]: Illegal user server from 64.246.44.130
Jan  8 06:11:25 fusion sshd[43998]: Illegal user adam from 64.246.44.130
Jan  8 06:11:26 fusion sshd[44000]: Illegal user alan from 64.246.44.130
Jan  8 06:11:26 fusion sshd[44002]: Illegal user frank from 64.246.44.130
Jan  8 06:11:26 fusion sshd[44004]: Illegal user george from 64.246.44.130
Jan  8 06:11:26 fusion sshd[44006]: Illegal user henry from 64.246.44.130
Jan  8 06:11:26 fusion sshd[44008]: Failed password for john from 
64.246.44.130 port 54348 ssh2

Interestingly, 64.246.44.130 is within the IP range of ev1servers.net 
which is where my BSD machine is located.

..... FUCKERS.


:(

More information about the freebsd-questions mailing list