machine hangs on occasion - correlated with ssh break-in attempts

Mikhail Teterin mi+mill at
Thu Aug 21 18:05:27 UTC 2008


A machine I manage remotely for a friend comes under a distributed ssh 
break-in attack every once in a while. Annoyed (and alarmed) by the 
messages like:

Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from
Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from
Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from
Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from

I wrote an awk-script, which adds a block of the attacking IP-address to 
the ipfw-rules after three such "invalid user" attempts with:

    ipfw add 550 deny ip from ip

The script is fed by syslogd directly -- through a syslog.conf rule 

Once in a while I manually flush these rules... I this a good (safe) 
I'm asking, because the machine (currently running 7.0 as of July 7) 
hangs solid once every few weeks... My only guess is that a spike in 
attacks causes "too many" ipfw-entries created, which paralyzes the 
kernel due to some bug -- the machine is running natd and is the gateway 
for the rest of the network...
The hangs could, of course, be caused by something else entirely, but my 
self-defense mechanism is my first suspect...

Any comments? Thanks!


More information about the freebsd-stable mailing list