On 2/6/06, Brad Gilmer <[EMAIL PROTECTED]> wrote: > Hello all, > > I guess one of the banes of our existance as Sys Admins is that people are > always pounding away at our systems trying to break in. Lately, I have been > getting hit with several hundred of the messages below per dayin my security > report output... > > gilmer.org login failures: > Feb 5 11:18:17 gilmer sshd[78078]: reverse mapping checking getaddrinfo for > 206-171-37-232.ded.pacbell.net failed - POSSIBLE BREAKIN ATTEMPT! > Feb 5 11:18:18 gilmer sshd[78080]: reverse mapping checking getaddrinfo for > 206-171-37-232.ded.pacbell.net failed - POSSIBLE BREAKIN ATTEMPT! > Feb 5 11:18:20 gilmer sshd[78082]: reverse mapping checking getaddrinfo for > 206-171-37-232.ded.pacbell.net failed - POSSIBLE BREAKIN ATTEMPT! > > I am running FreeBSD 5.4 RELEASE, and right now this box is not a production > machine, but I am going to be taking it live fairly soon. Questions: > > 1) Is there anything I should be doing to thwart this particular attack?
The POSSIBLE BREAKIN ATTEMPT message is caused by a failed reverse DNS lookup, and will happen with legit logins too if you have no reverse DNS. You can silence this particular message by adding to your /etc/ssh/sshd_config: UseDNS no To prevent attackers from hammering away at your server, try ports/security/bruteforceblocker Bruteforceblocker by default adds an abusive IP to the a pf firewall blacklist, but can be very easily modified for IPFW or adding a null route. > 2) Given that I am on 5.4, should I upgrade my sshd or do anything else at > this point to make sure my machine is as secure as possible? Just keep up with the version 5 security patches. > 3) (Meta-question) - Should I upgrade to 6.0 before I go live to be sure I > am in the best possible security situation going forward? Should I wait > until 6.1 for bug fixes (generally I am opposed to n.0 anything). Your call. Base your decision on what features you need. -- Noel Jones _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
