sshd possible breakin attempt messages
noeldude at gmail.com
Mon Feb 6 09:18:19 PST 2006
On 2/6/06, Brad Gilmer <bgilmer at gilmer.org> wrote:
> Hello all,
> I guess one of the banes of our existance as Sys Admins is that people are always pounding away at our systems trying to break in. Lately, I have been getting hit with several hundred of the messages below per dayin my security report output...
> gilmer.org login failures:
> Feb 5 11:18:17 gilmer sshd: reverse mapping checking getaddrinfo for 206-171-37-232.ded.pacbell.net failed - POSSIBLE BREAKIN ATTEMPT!
> Feb 5 11:18:18 gilmer sshd: reverse mapping checking getaddrinfo for 206-171-37-232.ded.pacbell.net failed - POSSIBLE BREAKIN ATTEMPT!
> Feb 5 11:18:20 gilmer sshd: reverse mapping checking getaddrinfo for 206-171-37-232.ded.pacbell.net failed - POSSIBLE BREAKIN ATTEMPT!
> I am running FreeBSD 5.4 RELEASE, and right now this box is not a production machine, but I am going to be taking it live fairly soon. Questions:
> 1) Is there anything I should be doing to thwart this particular attack?
The POSSIBLE BREAKIN ATTEMPT message is caused by a failed reverse DNS
lookup, and will happen with legit logins too if you have no reverse
DNS. You can silence this particular message by adding to your
To prevent attackers from hammering away at your server, try
Bruteforceblocker by default adds an abusive IP to the a pf firewall
blacklist, but can be very easily modified for IPFW or adding a null
> 2) Given that I am on 5.4, should I upgrade my sshd or do anything else at this point to make sure my machine is as secure as possible?
Just keep up with the version 5 security patches.
> 3) (Meta-question) - Should I upgrade to 6.0 before I go live to be sure I am in the best possible security situation going forward? Should I wait until 6.1 for bug fixes (generally I am opposed to n.0 anything).
Your call. Base your decision on what features you need.
More information about the freebsd-questions