Question about entry in auth.log

Valentin Bud valentin.bud at
Sat Nov 15 00:07:17 PST 2008

 I personally use key authentication along with DenyUsers and
AllowUsers directives
from sshd. One more thing i do regarding ssh brute force is to make
use of the max-src-conn and
max-src-conn-rate from pf firewall.

My auth logs look like:
Nov 14 11:15:36 xxx sshd[3570]: User root from not
allowed because not listed in AllowUsers
Nov 14 11:15:38 xxx sshd[3572]: Invalid user admin from
Nov 14 11:15:41 xxx sshd[3574]: Invalid user test from
Nov 14 11:15:44 xxx sshd[3576]: User root from not
allowed because not listed in AllowUsers
Nov 14 11:15:46 xxx sshd[3578]: Invalid user ghost from

Five tries from the above ip and if unsuccessful it gets overloaded in
a table and
all the states originating from that ip are killed.

All the servers i have are web/mail ones, none of them is used for
users, so i don't know if this is a good approach
but i wrote it to help make an idea about it.

a great day,

On Sat, Nov 15, 2008 at 5:00 AM, Lisa Casey <lisa at> wrote:
> On Fri, 14 Nov 2008, Tom Marchand wrote:
>> Or michael is vacationing in Romania.
> Very odd. Sigh, Michael is not vacationing in Romania. Doubt he's ever been
> there. I got rid of the michael account (it wasn't used anyway), and
> downloaded a new copy of chkrootkit, installed it and ran it along with
> chklastlog and chkwtmp. Nothing was found. Pehaps this was a harmless enough
> prank? Anything else I ought to look at? Fortunately the michael account did
> not have te ability to su to root.
> Lisa
> _______________________________________________
> freebsd-questions at mailing list
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at"

More information about the freebsd-questions mailing list