sshd possible breakin attempt messages

Nigel (Merv) Hughes merv at merv.org.uk
Tue Feb 7 01:13:09 PST 2006 

Hi Brad,

I don't know much about the nuts and bolts of FreeBSD or Security, but I 
resently had the same problem as you. I found that the Denyhosts port 
(http://denyhosts.sourceforge.net/index.html) fixed the problem very well.

The non-standard, host.evil, set-up works best with the FreeBSD host.allow 
format. You end up with a host.allow that looks a bit like this:

#
# Denyhost Cron Job checks the logs and adds 
# the bad IPs to hosts.evil
#
ALL: /usr/local/etc/hosts.evil : deny

#
# Trust everyone until the logs say they tried a bad thing.
#
ALL : ALL : allow

The FAQs on the website are very good and the Denyhosts' config file is well 
commented so the set-up and install is very easy.

I hope this helps.

Merv

On Monday 06 February 2006 16:23, Brad Gilmer wrote:
> Hello all,
>
> I guess one of the banes of our existance as Sys Admins is that people are
> always pounding away at our systems trying to break in.  Lately, I have
> been getting hit with several hundred of the messages below per dayin my
> security report output...
>
> gilmer.org login failures:
> Feb  5 11:18:17 gilmer sshd[78078]: reverse mapping checking getaddrinfo
> for 206-171-37-232.ded.pacbell.net failed - POSSIBLE BREAKIN ATTEMPT! Feb 
> 5 11:18:18 gilmer sshd[78080]: reverse mapping checking getaddrinfo for
> 206-171-37-232.ded.pacbell.net failed - POSSIBLE BREAKIN ATTEMPT! Feb  5
> 11:18:20 gilmer sshd[78082]: reverse mapping checking getaddrinfo for
> 206-171-37-232.ded.pacbell.net failed - POSSIBLE BREAKIN ATTEMPT!
>
> I am running FreeBSD 5.4 RELEASE, and right now this box is not a
> production machine, but I am going to be taking it live fairly soon. 
> Questions:
>
> 1)  Is there anything I should be doing to thwart this particular attack?
> 2)  Given that I am on 5.4, should I upgrade my sshd or do anything else at
> this point to make sure my machine is as secure as possible? 3) 
> (Meta-question) - Should I upgrade to 6.0 before I go live to be sure I am
> in the best possible security situation going forward?  Should I wait until
> 6.1 for bug fixes (generally I am opposed to n.0 anything).
>
> Thanks
> Brad
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list