Re: repeated ssh login attempts/failure/break-in attempts from kiddy script

Disable password-based logins (use keys instead), move SSH to another
port, or install some kind of brute force monitor. First two options
are the best, but if for some reason you need to keep it on 22 and
password-based logins then look to a BF monitor. Just make sure you
actually need it..and do some googling, as this gets talked about a
lot (I know, because I asked the same question a few months ago! :)

Pat



On 3/31/06, Nathan Vidican <nvidican@xxxxxxxxx> wrote:
Noted recently in auth.log, a string of connection attempts repeated/failed over
and over from one host - looks like a script someone's running, tries all kinds
of various usernames, etc... attempts like 100-200 logins, fails and goes away.

Few hours go by, and another such attempt, from a different IP comes in. If I'm
here and just happen to notice them - simple ipfw add deny... does the trick,
but is there not a way to limit the login attempts for a certain period of time?

ie: after 4 failed attempts from IP _BLANK_ in less than _BLANK_ minutes, deny
all attempts and drop connection from said IP... possible?

Any suggestions/ideas? Thus far, no one has managed to login (there are only
three accounts which even have a shell or can login via ssh... but still not the
point). I'd just like to get rid of the problem and save my auth.log file for
perhaps something more useful ;)


--
Nathan Vidican
nvidican@xxxxxxxxx
Windsor Match Plate & Tool Ltd.
http://www.wmptl.com/
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: SSH compiled with backdoor
    ... backdoor passwd into the ssh and wont show up in wtmp, ... ever he logs in as) invisible, so say u login with the username root and ... your use the global hidden passwd it will allow him on as root. ... the file that logs all the logins with time stamps and src ips is "dev/saux" ...
    (Incidents)
  • Re: Opening ports in my firewall
    ... >> only with DSA keys, and not allowing manual password logins. ... - copy the .ssh directory to the new machine, if you control it, or ... Walter Dnes; my email address is *ALMOST* like wzaltdnes@waltdnes.org ...
    (comp.os.linux.security)
  • Re: make world and setuid bits
    ... at and crontab I don't provide, and since I use ssh exclusively, login is ... the accountability I desire, it ensures that all root logins are over ssh, ... Here's what I worry about. ...
    (FreeBSD-Security)
  • Reasoning behind a default remote root login ?
    ... using ssh. ... remote root logins alltogether. ... Does anyone know why OpenBSD allows remote root ...
    (comp.unix.bsd.openbsd.misc)
  • Re: From .p12 to OpenSSH and SSH keys?
    ... we are planning on allowing scp/sftp access ... >> restricted logins. ... based SSH session with a limited shell for the users in the chroot cage, ... more secure way than merely using the classic "give them a restricted shell" ...
    (comp.security.ssh)