auth.log & intruder prevention

Ilias Sachpazidis isachpaz at
Tue Jan 24 13:02:45 PST 2006

Hi Everyone,

In auth.log of my FreeBSD boxes I got many requests to port 22, as you can
see below.
----begin of snippet
Jan 22 11:21:50 zeus sshd[92900]: Failed password for illegal user cracking
from port 58344 ssh2
Jan 22 11:21:53 zeus sshd[92902]: Failed password for illegal user hacking
from port 58443 ssh2
Jan 22 11:21:55 zeus sshd[92904]: Failed password for illegal user lol from port 58543 ssh2
Jan 22 11:21:57 zeus sshd[92906]: Failed password for illegal user pgl from port 58640 ssh2
Jan 22 11:22:00 zeus sshd[92908]: Failed password for illegal user player
from port 58741 ssh2
Jan 22 11:22:02 zeus sshd[92910]: Failed password for illegal user root4me
from port 58842 ssh2
----end of snippet

I am wondering if any script is available to prevent hundreds of attempts on
port 22 from external IPs that constantly checking user & passwords on my
FreeBSD PCs.

What I am looking for is a deamon application/script that receives the
recorded data from auth.log and detects if any remote client (IP address) is
checking user and passwords (Detection pattern: 5 missing attempts in 1
min). On a successful detection, the script should add an ipfw rule
rejecting further IP packets from the specific remote address.

Is any script or something similar available so far? 

All the best,



More information about the freebsd-questions mailing list