Re: too many illegal connection attempts through ssh

From: Benjamin Rossen (b.rossen_at_onsnet.nu)
Date: 04/13/05

  • Next message: Hexren: "Re[2]: too many illegal connection attempts through ssh" 
    To: freebsd-questions@freebsd.org
Date: Wed, 13 Apr 2005 23:47:49 +0200

    On Wed, 2005-04-06 at 07:15 +0000, Edwin D. Vinas wrote:
    > hello,
    >
    > shown below is snapshot of too many illegal attempts to login to my
    > server from a suspicious hacker. this is taken from the
    > "/var/log/auth.log". my question is, how do i automatically block an
    > IP address if it is attempting to guess my login usernames? can i
    > configure the firewall to check the instances a certain IP has
    > attempted to access/ssh the sevrer, and if it has failed to login for
    > about "x" number of attempts, it will be blocked automatically?
    >
    > thank you in advance!
    >
    > -edwin
    >
    > ----------------
    > Mar 26 05:00:00 pawikan newsyslog[11879]: logfile turned over ...etc.

    This is one of those things we all have to live with.

    I once had the idea to start an Open Source Project for making an
    administrators' tool that would work as follows. The tool would collect these
    records and send the information to a central server. I would be willing to
    donate and administer that server. The server would then track where these
    attacks are coming from. If it becomes apparent that the attacks are coming
    from a lone idiot doing one or two amateurish crack attempts, nothing further
    need be done. On the other hand, if it becomes apparent that the source is
    making repeated attacks on many machines, then a co-ordinate message would go
    out to all administrators using the tool. This could be automated. We could
    hope that many tens of thousands of BSD administrators would be using this
    tool (on many hundreds of thousands of BSD machines). All the machines
    administered by users of this tool would then launch a concerted Denial Of
    Service attack on the cracker address.

    Now, how about that?

    Of course, we could also try to do this nicely; for example, we could send
    automated notifications to the ISPs servicing the offending machines, or to
    ICANN, or to the police and other authorities in the countries where this
    kind of behavior is illegal, and so on. However, that would certainly be
    quite ineffective, and much less fun.

    Or we could combine these strategies. We could notify the ISPs that the
    attacks are coming from one of their clients, informing them that a Tsunami
    DOS shall follow if they do not put a stop to the attacks.

    Just an idea...

    Benjamin Rossen
    _______________________________________________
    freebsd-questions@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-questions
    To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"

  • Next message: Hexren: "Re[2]: too many illegal connection attempts through ssh"