sshd possible breakin attempt messages
Kristian Vaaf
vaaf at broadpark.no
Mon Feb 6 12:23:54 PST 2006
At 18:03 06.02.2006, Kevin Kinsey wrote:
>Brad Gilmer wrote:
>
>>Hello all,
>>
>>I guess one of the banes of our existance as Sys Admins is that
>>people are always pounding away at our systems trying to break
>>in. Lately, I have been getting hit with several hundred of the
>>messages below per dayin my security report output...
>>
>>gilmer.org login failures:
>>Feb 5 11:18:17 gilmer sshd[78078]: reverse mapping checking
>>getaddrinfo for 206-171-37-232.ded.pacbell.net failed - POSSIBLE
>>BREAKIN ATTEMPT!
>>Feb 5 11:18:18 gilmer sshd[78080]: reverse mapping checking
>>getaddrinfo for 206-171-37-232.ded.pacbell.net failed - POSSIBLE
>>BREAKIN ATTEMPT!
>>Feb 5 11:18:20 gilmer sshd[78082]: reverse mapping checking
>>getaddrinfo for 206-171-37-232.ded.pacbell.net failed - POSSIBLE
>>BREAKIN ATTEMPT!
>>
>>I am running FreeBSD 5.4 RELEASE, and right now this box is not a
>>production machine, but I am going to be taking it live fairly
>>soon. Questions:
>>
>>1) Is there anything I should be doing to thwart this particular attack?
>>
>
>IANAE on security, but there are several possibilities. Here are a couple
>ideas from my deadbeat security brain:
>
> 1. edit /etc/ssh/sshd_config and make sure that only the right users
> and such are allowed to login, and via the right methods.
>
> 2. If the situation allows, you can wrap sshd via /etc/hosts.allow to
> only allow logins from certain IP addresses (i.e., wherever you
> intend to admin this box from).
>
>Note that, as I mentioned, IANAE, and there is plenty of other "higher
>level" security actions that can be taken to secure a box from attack.
>Maybe some less-newbie-than-me guru will step up to the plate on that;
>maybe not.
>
>>2) Given that I am on 5.4, should I upgrade my sshd or do anything
>>else at this point to make sure my machine is as secure as possible?
>>
>
>Check the advisories at the freebsd.org web site, and keep tracking
>RELENG_5_4 with cvsup/buildworld, etc. to stay up to date is a good
>starting point.
>
>>3) (Meta-question) - Should I upgrade to 6.0 before I go live to
>>be sure I am in the best possible security situation going forward?
>>Should I wait until 6.1 for bug fixes (generally I am opposed to
>>n.0 anything).
>>
>>
>
>Meta-answer, if possible from an idiot like me: 6.0 is actually a very
>notable exception to the "don't grab the zero release" rule in my case.
>YMMV, of course. Last week I upgraded my last 5.X boxen to 6.X, and
>I don't plan on looking back! Now, if I could just find time to
>backup/reinstall that 4.X boxen that's locked up so far away!!!
>
>>Thanks
>>Brad
>>
>
>You're welcome.
>
>Kevin Kinsey
Sorry, but what is IANAE and YMMV?
Thank you!
Vaaf
More information about the freebsd-questions
mailing list