repeated ssh login attempts/failure/break-in attempts from kiddy
script
albi
albi at scii.nl
Fri Mar 31 13:49:15 UTC 2006
Nathan Vidican wrote:
> Noted recently in auth.log, a string of connection attempts
> repeated/failed over and over from one host - looks like a script
> someone's running, tries all kinds of various usernames, etc... attempts
> like 100-200 logins, fails and goes away.
>
> Few hours go by, and another such attempt, from a different IP comes in.
> If I'm here and just happen to notice them - simple ipfw add deny...
> does the trick, but is there not a way to limit the login attempts for a
> certain period of time?
>
> ie: after 4 failed attempts from IP _BLANK_ in less than _BLANK_
> minutes, deny all attempts and drop connection from said IP... possible?
>
> Any suggestions/ideas? Thus far, no one has managed to login (there are
> only three accounts which even have a shell or can login via ssh... but
> still not the point). I'd just like to get rid of the problem and save
> my auth.log file for perhaps something more useful ;)
this a FAQ by now :-)
some people recommend denyhosts, it's in the ports afaik
http://denyhosts.sourceforge.net/faq.html#2_4
i don't use this myself, i prefer the AllowUsers option in sshd.config,
and i'm using a ssh-jail anyway with a disabled root-passwd
--
grtjs, albi
gpg-key: lynx -dump http://scii.nl/~albi/gpg.asc | gpg --import
More information about the freebsd-questions
mailing list