System Intrustion Detection

Daniel Bye freebsd-questions at slightlystrange.org
Tue May 9 15:24:12 UTC 2006 

On Tue, May 09, 2006 at 07:54:03AM -0700, M. Goodell wrote:
> More and more each day I am seeing my root emails contain hundreds of entries like this:
>    
>   May  8 02:23:35 warpstone sshd[26092]: Failed password for root from 222.185.245.208 port 50519 ssh2
> May  8 16:37:41 warpstone ftpd[34713]: FTP LOGIN FAILED FROM 211.44.250.152, Administrator
>    
>   Basically, people are attemtpting to hack into my server often with 
> a few thousands of attempts each day. What measures can I take to stop 
> these attempts? Is there a way I can detect these attacks and 
> automatically cut them off? Are any of the security ports effective 
> against this?

Don't feel too bad - the little bastards try it on anywhere and
everywhere.

There are a few things you can do to stop them in their tracks.  From
what I gather, the pf firewall provides some neat table functionality
that can be put to use in this situation.  I have never used pf, so will
not say more of it here.

I use Denyhosts, which is intended to stop brute force ssh attacks, but
which can be used to deny unwanted/unwelcome connections to any or all
services.  It's in the ports, is easy to set up and works really well.
There is a synchronisation server from which it can download IP
addresses that have been logged trying to mount attacks, and allows your
DenyHosts to upload addresses that have tried to crack you.

There are a couple of things you can do to protect your sshd.  First,
allow only public key authentication.  This may not be practical in all
situations, but it is a very good way of preventing dictionary attacks
from succeeding!  Secondly, set AllowGroups or AllowUsers in your
sshd.config, so that only explicitly permitted users or groups can
request a login.

HTH

Dan

-- 
Daniel Bye

PGP Key: ftp://ftp.slightlystrange.org/pgpkey/dan.asc
PGP Key fingerprint: D349 B109 0EB8 2554 4D75  B79A 8B17 F97C 1622 166A
                                                                     _
                                              ASCII ribbon campaign ( )
                                         - against HTML, vCards and  X
                                - proprietary attachments in e-mail / \
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20060509/a3d9d616/attachment.pgp

More information about the freebsd-questions mailing list