sshd break-in attempt

Michael bsdquestions at gmail.com
Wed Jan 3 06:06:53 PST 2007 

Per olof Ljungmark wrote:
> Nathan Vidican wrote:
>> We keep getting attempts from what look like a username/password 
>> scanner utility to login to our servers externally via sshd. 
>> Thankfully, we're not ignorant enough to leave common account names 
>> open, however it is annoying to say the least. We're getting things 
>> like this:
>>
>> Jan  1 09:07:34 fw sshd[66547]: Invalid user staff from 208.44.210.15
>> Jan  1 09:07:35 fw sshd[66549]: Invalid user sales from 208.44.210.15
>> Jan  1 09:07:36 fw sshd[66551]: Invalid user recruit from 208.44.210.15
>> Jan  1 09:07:37 fw sshd[66553]: Invalid user alias from 208.44.210.15
>> Jan  1 09:07:38 fw sshd[66555]: Invalid user office from 208.44.210.15
>> Jan  1 09:07:38 fw sshd[66557]: Invalid user samba from 208.44.210.15
>> Jan  1 09:07:39 fw sshd[66559]: Invalid user tomcat from 208.44.210.15
>> Jan  1 09:07:40 fw sshd[66561]: Invalid user webadmin from 208.44.210.15
>> Jan  1 09:07:41 fw sshd[66563]: Invalid user spam from 208.44.210.15
>> Jan  1 09:07:42 fw sshd[66565]: Invalid user virus from 208.44.210.15
>> Jan  1 09:07:43 fw sshd[66567]: Invalid user cyrus from 208.44.210.15
>> Jan  1 09:07:43 fw sshd[66569]: Invalid user staff from 208.44.210.15
>> Jan  1 09:07:44 fw sshd[66571]: Invalid user oracle from 208.44.210.15
>>
>> In our 'periodic daily' report/email, (only the list goes on for 
>> hundreds of attempts). Anyhow, long story short; is there not an easy 
>> way to make sshd block or deny hosts temporarily if X number of 
>> invalid login attempts are made within a minute's time? Must I use an 
>> external wrapper to accomplish this, or can it be done with options 
>> to sshd on it's own?
>
> There are several ways to block the attacks, one pointed out by first 
> respondent, we use Denyhosts and sshblock here.
>
> Google should point you several others.
> http://www.google.se/search?hl=en&q=ssh+attacks&btnG=Google+Search
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe at freebsd.org"
>
As I have mentioned before here on this list, we use Blockhosts which 
has been extremely effective in blocking these after X number of attempts.

You can find it here:

http://www.aczoom.com/cms/blockhosts

Give it a go, I think you'll be very happy with the results.

Michael

More information about the freebsd-questions mailing list