sshd possible breakin attempt messages

Mike Jeays mj001 at rogers.com
Mon Feb 6 12:35:42 PST 2006 

On Mon, 2006-02-06 at 21:23 +0100, Kristian Vaaf wrote:
> At 18:03 06.02.2006, Kevin Kinsey wrote:
> >Brad Gilmer wrote:
> >
> >>Hello all,
> >>
> >>I guess one of the banes of our existance as Sys Admins is that 
> >>people are always pounding away at our systems trying to break 
> >>in.  Lately, I have been getting hit with several hundred of the 
> >>messages below per dayin my security report output...
> >>
> >>gilmer.org login failures:
> >>Feb  5 11:18:17 gilmer sshd[78078]: reverse mapping checking 
> >>getaddrinfo for 206-171-37-232.ded.pacbell.net failed - POSSIBLE 
> >>BREAKIN ATTEMPT!
> >>Feb  5 11:18:18 gilmer sshd[78080]: reverse mapping checking 
> >>getaddrinfo for 206-171-37-232.ded.pacbell.net failed - POSSIBLE 
> >>BREAKIN ATTEMPT!
> >>Feb  5 11:18:20 gilmer sshd[78082]: reverse mapping checking 
> >>getaddrinfo for 206-171-37-232.ded.pacbell.net failed - POSSIBLE 
> >>BREAKIN ATTEMPT!
> >>
> >>I am running FreeBSD 5.4 RELEASE, and right now this box is not a 
> >>production machine, but I am going to be taking it live fairly 
> >>soon.  Questions:
> >>
> >>1)  Is there anything I should be doing to thwart this particular attack?
> >>
> >
> >IANAE on security, but there are several possibilities.  Here are a couple
> >ideas from my deadbeat security brain:
> >
> >     1.  edit /etc/ssh/sshd_config and make sure that only the right users
> >          and such are allowed to login, and via the right methods.
> >
> >     2.  If the situation allows, you can wrap sshd via /etc/hosts.allow to
> >          only allow logins from certain IP addresses (i.e., wherever you
> >          intend to admin this box from).
> >
> >Note that, as I mentioned, IANAE, and there is plenty of other "higher
> >level" security actions that can be taken to secure a box from attack.
> >Maybe some less-newbie-than-me guru will step up to the plate on that;
> >maybe not.
> >
> >>2)  Given that I am on 5.4, should I upgrade my sshd or do anything 
> >>else at this point to make sure my machine is as secure as possible?
> >>
> >
> >Check the advisories at the freebsd.org web site, and keep tracking
> >RELENG_5_4 with cvsup/buildworld, etc. to stay up to date is a good
> >starting point.
> >
> >>3)  (Meta-question) - Should I upgrade to 6.0 before I go live to 
> >>be sure I am in the best possible security situation going forward?
> >>Should I wait until 6.1 for bug fixes (generally I am opposed to 
> >>n.0 anything).
> >>
> >>
> >
> >Meta-answer, if possible from an idiot like me:  6.0 is actually a very
> >notable exception to the "don't grab the zero release" rule in my case.
> >YMMV, of course.  Last week I upgraded my last 5.X boxen to 6.X, and
> >I don't plan on looking back!  Now, if I could just find time to
> >backup/reinstall that 4.X boxen that's locked up so far away!!!
> >
> >>Thanks
> >>Brad
> >>
> >
> >You're welcome.
> >
> >Kevin Kinsey
> 
> Sorry, but what is IANAE and YMMV?
> 
> Thank you!
> 
> Vaaf
> 
> 
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
-- 
Mike Jeays
http://ca.geocities.com/mike.jeays@rogers.com

IANAE = "I am not an expert"
YMMV  = "Your mileage may vary" - an over-used disclaimer in car
advertisements.

More information about the freebsd-questions mailing list