Re: repeated ssh login attempts/failure/break-in attempts from kiddy script

---

• From: albi <albi@xxxxxxx>
• Date: Fri, 31 Mar 2006 15:49:08 +0200

---

Nathan Vidican wrote:

Noted recently in auth.log, a string of connection attempts
repeated/failed over and over from one host - looks like a script
someone's running, tries all kinds of various usernames, etc... attempts
like 100-200 logins, fails and goes away.

Few hours go by, and another such attempt, from a different IP comes in.
If I'm here and just happen to notice them - simple ipfw add deny...
does the trick, but is there not a way to limit the login attempts for a
certain period of time?

ie: after 4 failed attempts from IP _BLANK_ in less than _BLANK_
minutes, deny all attempts and drop connection from said IP... possible?

Any suggestions/ideas? Thus far, no one has managed to login (there are
only three accounts which even have a shell or can login via ssh... but
still not the point). I'd just like to get rid of the problem and save
my auth.log file for perhaps something more useful ;)

this a FAQ by now :-)

some people recommend denyhosts, it's in the ports afaik
http://denyhosts.sourceforge.net/faq.html#2_4

i don't use this myself, i prefer the AllowUsers option in sshd.config,
and i'm using a ssh-jail anyway with a disabled root-passwd

--
grtjs, albi
gpg-key: lynx -dump http://scii.nl/~albi/gpg.asc | gpg --import
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

---

• References:
  • repeated ssh login attempts/failure/break-in attempts from kiddy script
    • From: Nathan Vidican

• Prev by Date: Re: repeated ssh login attempts/failure/break-in attempts from kiddy script
• Next by Date: Re: Compiling Java 1.5
• Previous by thread: Re: repeated ssh login attempts/failure/break-in attempts from kiddy script
• Next by thread: Re: repeated ssh login attempts/failure/break-in attempts from kiddy script
• Index(es):
  • Date
  • Thread

---

Relevant Pages Expect, telnet, frozen console. ... telnet into remote host, provide username/password, surrender control to ... This script will eventually be tied into /etc/inittab so that it ... app called 'loe' which presents a login screen in 80x24 ASCII a la ... (comp.lang.tcl) Re: Hacker activity? ... >login to a server, most as root but some are attempts to login to ... >telnet, all come from the same remote server, and all fail. ... >getting some odd cgi calls to a script on a secure ssl server. ... Make sure root cannot login to your system via ssh. ... (freebsd-questions) Abusing poor programming techniques in webserver scripts V 1.0 ... $login = Request.Form ... fool the database parser. ... verified in the script of access to the database, ... The SQL statement will be parsed by the database manager, ... (SecProg) e107 remote commands execution ... Login bypass / remote code execution / cross site scripting ... "e107 is a content management system written in php and using the popular ... a script byrgod at <a href="http://rgod.altervista.org " ... //so, you see, we activate public uploads and .php extensions for attachments ... (Bugtraq) Re: Limit desktop & start menu ... Create a login script that runs when users log into the TS, and map the R: ... persisitent "R" drive on the server itself and that may cure it. ... (microsoft.public.windows.terminal_services)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint

unix.derkeiler.com  > Mailing-Lists  > FreeBSD  > questions  > 2006-03