Nathan Vidican wrote:
We keep getting attempts from what look like a username/password scanner
utility to login to our servers externally via sshd. Thankfully, we're
not ignorant enough to leave common account names open, however it is
annoying to say the least. We're getting things like this:
Jan 1 09:07:34 fw sshd[66547]: Invalid user staff from 208.44.210.15
Jan 1 09:07:35 fw sshd[66549]: Invalid user sales from 208.44.210.15
Jan 1 09:07:36 fw sshd[66551]: Invalid user recruit from 208.44.210.15
Jan 1 09:07:37 fw sshd[66553]: Invalid user alias from 208.44.210.15
Jan 1 09:07:38 fw sshd[66555]: Invalid user office from 208.44.210.15
Jan 1 09:07:38 fw sshd[66557]: Invalid user samba from 208.44.210.15
Jan 1 09:07:39 fw sshd[66559]: Invalid user tomcat from 208.44.210.15
Jan 1 09:07:40 fw sshd[66561]: Invalid user webadmin from 208.44.210.15
Jan 1 09:07:41 fw sshd[66563]: Invalid user spam from 208.44.210.15
Jan 1 09:07:42 fw sshd[66565]: Invalid user virus from 208.44.210.15
Jan 1 09:07:43 fw sshd[66567]: Invalid user cyrus from 208.44.210.15
Jan 1 09:07:43 fw sshd[66569]: Invalid user staff from 208.44.210.15
Jan 1 09:07:44 fw sshd[66571]: Invalid user oracle from 208.44.210.15
In our 'periodic daily' report/email, (only the list goes on for
hundreds of attempts). Anyhow, long story short; is there not an easy
way to make sshd block or deny hosts temporarily if X number of invalid
login attempts are made within a minute's time? Must I use an external
wrapper to accomplish this, or can it be done with options to sshd on
it's own?
There are several ways to block the attacks, one pointed out by first
respondent, we use Denyhosts and sshblock here.
Google should point you several others.
http://www.google.se/search?hl=en&q=ssh+attacks&btnG=Google+Search
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
