sshd break-in attempt

Per olof Ljungmark peo at
Tue Jan 2 06:40:05 PST 2007

Nathan Vidican wrote:
> We keep getting attempts from what look like a username/password scanner 
> utility to login to our servers externally via sshd. Thankfully, we're 
> not ignorant enough to leave common account names open, however it is 
> annoying to say the least. We're getting things like this:
> Jan  1 09:07:34 fw sshd[66547]: Invalid user staff from
> Jan  1 09:07:35 fw sshd[66549]: Invalid user sales from
> Jan  1 09:07:36 fw sshd[66551]: Invalid user recruit from
> Jan  1 09:07:37 fw sshd[66553]: Invalid user alias from
> Jan  1 09:07:38 fw sshd[66555]: Invalid user office from
> Jan  1 09:07:38 fw sshd[66557]: Invalid user samba from
> Jan  1 09:07:39 fw sshd[66559]: Invalid user tomcat from
> Jan  1 09:07:40 fw sshd[66561]: Invalid user webadmin from
> Jan  1 09:07:41 fw sshd[66563]: Invalid user spam from
> Jan  1 09:07:42 fw sshd[66565]: Invalid user virus from
> Jan  1 09:07:43 fw sshd[66567]: Invalid user cyrus from
> Jan  1 09:07:43 fw sshd[66569]: Invalid user staff from
> Jan  1 09:07:44 fw sshd[66571]: Invalid user oracle from
> In our 'periodic daily' report/email, (only the list goes on for 
> hundreds of attempts). Anyhow, long story short; is there not an easy 
> way to make sshd block or deny hosts temporarily if X number of invalid 
> login attempts are made within a minute's time? Must I use an external 
> wrapper to accomplish this, or can it be done with options to sshd on 
> it's own?

There are several ways to block the attacks, one pointed out by first 
respondent, we use Denyhosts and sshblock here.

Google should point you several others.

More information about the freebsd-questions mailing list