repeated ssh login attempts/failure/break-in attempts from
kiddy script
Pat Maddox
pergesu at gmail.com
Fri Mar 31 13:44:54 UTC 2006
Disable password-based logins (use keys instead), move SSH to another
port, or install some kind of brute force monitor. First two options
are the best, but if for some reason you need to keep it on 22 and
password-based logins then look to a BF monitor. Just make sure you
actually need it..and do some googling, as this gets talked about a
lot (I know, because I asked the same question a few months ago! :)
Pat
On 3/31/06, Nathan Vidican <nvidican at wmptl.com> wrote:
> Noted recently in auth.log, a string of connection attempts repeated/failed over
> and over from one host - looks like a script someone's running, tries all kinds
> of various usernames, etc... attempts like 100-200 logins, fails and goes away.
>
> Few hours go by, and another such attempt, from a different IP comes in. If I'm
> here and just happen to notice them - simple ipfw add deny... does the trick,
> but is there not a way to limit the login attempts for a certain period of time?
>
> ie: after 4 failed attempts from IP _BLANK_ in less than _BLANK_ minutes, deny
> all attempts and drop connection from said IP... possible?
>
> Any suggestions/ideas? Thus far, no one has managed to login (there are only
> three accounts which even have a shell or can login via ssh... but still not the
> point). I'd just like to get rid of the problem and save my auth.log file for
> perhaps something more useful ;)
>
>
> --
> Nathan Vidican
> nvidican at wmptl.com
> Windsor Match Plate & Tool Ltd.
> http://www.wmptl.com/
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
More information about the freebsd-questions
mailing list