From: "YOU" <[EMAIL PROTECTED]> To: "Phillip Smith (mailing list)" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, March 04, 2003 10:06 AM Subject: Re: hacking attempts?
> On Tue, 4 Mar 2003, Phillip Smith (mailing list) wrote: > > > > > I found this in my logs and I'm wondering if this is a hacking attempt? > > Should I be concerned? > > > > Also, if/when I see these, I'd like to add them to a blocked list using > > /sbin/ipfw, but get the following message when trying this command: > > > > # /sbin/ipfw add 1 deny all from 151.204.100.88:255.255.255.255 to any > > ipfw: getsockopt(IP_FW_ADD): Protocol not available > > > > > > freedom.domain.com login failures: > > Mar 2 11:38:33 freedom sshd[47912]: Failed none for illegal user test > > from 64.21.10.2 > > port 36747 ssh2 > > Mar 2 11:38:33 freedom sshd[47912]: Failed publickey for illegal user > > test from > > 64.21.10.2 port 36747 ssh2 > > Mar 2 11:38:34 freedom sshd[47912]: Failed keyboard-interactive for > > illegal user test > > from 64.21.10.2 port 36747 ssh2 > > Mar 2 11:38:34 freedom sshd[47912]: Failed password for illegal user > > test from > > 64.21.10.2 port 36747 ssh2 > > ipfw: getsockopt(blaaaaaah) > > Is your kernel configured for firewall work? Check LINT for options. > > As well you should be able to use tcpwrappers, look in > /etc/hosts.allow. You could add a deny for this 'persons' ip addy denying > him/her/it access to your sshd daemon. NOTE: It is 'normally not a good > idea' to do this, but if you don't want to rebuild with a firewall > configured kernel it will suffice. > > Hope this helps. > > R. > And the reason it's not a "good idea"? I've always assumed it was because you didn't want to be on vacation, at a friends house, or suddenly have your ISP switch subnets on you and lock you out of your box... Absolutely nothing wrong with denying the supposed "cracker's" IP; AAMOF, go over to ARIN or APNIC or such and ditch entire Class A nets that you'll never touch...I'll never be in SE Asia, for example... I use a dual strategy here. One machine only trusts a second; on the second box I deny the known bad guyz and let most others try... ...Needless to say, the really important stuff is on the first box... Kevin Kinsey To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
