machine hangs on occasion - correlated with ssh break-in attempts

Derek Ragona derek at
Fri Aug 22 08:04:17 UTC 2008

At 12:38 PM 8/21/2008, Mikhail Teterin wrote:
>A machine I manage remotely for a friend comes under a distributed ssh 
>break-in attack every once in a while. Annoyed (and alarmed) by the 
>messages like:
>Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from
>Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from
>Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from
>Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from
>I wrote an awk-script, which adds a block of the attacking IP-address to 
>the ipfw-rules after three such "invalid user" attempts with:
>    ipfw add 550 deny ip from ip
>The script is fed by syslogd directly -- through a syslog.conf rule 
>Once in a while I manually flush these rules... I this a good (safe) reaction?
>I'm asking, because the machine (currently running 7.0 as of July 7) hangs 
>solid once every few weeks... My only guess is that a spike in attacks 
>causes "too many" ipfw-entries created, which paralyzes the kernel due to 
>some bug -- the machine is running natd and is the gateway for the rest of 
>the network...
>The hangs could, of course, be caused by something else entirely, but my 
>self-defense mechanism is my first suspect...
>Any comments? Thanks!
>    -mi

I doubt it is your script, or syslog causing the crash.  It is likely a 
hardware problem of some type if you have this server completely patched 
and up-to-date for security patches.  I would look at the memory, ethernet, 
hard disk, or power supply as the most likely candidates.


This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the freebsd-stable mailing list