repeated ssh login attempts/failure/break-in attempts from
kiddy script
J65nko
j65nko at gmail.com
Fri Mar 31 16:38:47 UTC 2006
On 3/31/06, Nathan Vidican <nvidican at wmptl.com> wrote:
> Noted recently in auth.log, a string of connection attempts repeated/failed over
> and over from one host - looks like a script someone's running, tries all kinds
> of various usernames, etc... attempts like 100-200 logins, fails and goes away.
>
> Few hours go by, and another such attempt, from a different IP comes in. If I'm
> here and just happen to notice them - simple ipfw add deny... does the trick,
> but is there not a way to limit the login attempts for a certain period of time?
>
> ie: after 4 failed attempts from IP _BLANK_ in less than _BLANK_ minutes, deny
> all attempts and drop connection from said IP... possible?
>
> Any suggestions/ideas? Thus far, no one has managed to login (there are only
> three accounts which even have a shell or can login via ssh... but still not the
> point). I'd just like to get rid of the problem and save my auth.log file for
> perhaps something more useful ;)
>
[snip]
This pf.conf rule will stop them:
block drop log quick on xl0 proto tcp from any os "Linux" to any port = ssh
More information about the freebsd-questions
mailing list