On 01/10/05 12:20 AM, artware sat at the `puter and typed:My 5.3R system has only been up a little over a week, and I've already had a few breakin attempts -- they show up as Illegal user tests in the /var/log/auth.log... It looks like they're trying common login names (probably with the login name used as passwd). It takes them hours to try a dozen names, but I'd rather not have any traffic from these folks. Is there any way to blacklist IPs at the system level, or do I have to hack something together for each daemon?
I get this all the time too. I'm sure anyone with a *nix system on the net does.
I have two boxes, one allows password authentication, and I also see these attempts. the other only accepts login with ssh-keys and I see no such activity.
I'm sure after reading this, someone else will post another favorite password generation method, including the numerous ports available - I'd like to see one that checks the security of a password rather than just generating them.
yeah, close your eyes, hit the keyboard with all 10 fingers and your nose and see what comes out: ac0e48 amæifljasc4å0w(V4 ok - I admit, I didn't hit the keyboard with my nose, but it's absolutely not a dictionary word :-)
As for the firewall and the originating IP, I follow a plain process:
Check the whois record of the offending IP If the IP is in Asia, Russia, or Nigeria, I drop the CIDR spec into my firewall <BLOCKED> table and never hear from anyone on the network again. The CIDER spec is part of the whois record If the IP is in Western Europe or North America, I notify the abuse address to inform them they either have a cracker or a cracked system.
This practice has reduced these attempts considerably. Each time I see another, I add it to the blocked table (I use pf, not ipfw).
If it's a problem, try to reverse your thinking, why are you allowing access from everywhere in the first place? It is far easier to list the ranges you know your users will be logging in from than try to block these occasional events that never happens from the same source.
If you are serving a university campus it's likely not an option to block of specific countries or continents, but if it's your SOHO I see no reason you should leave the doors open from ranges you know can only be intruders.
If interested, I have a script for picking out countries from the delegation lists:
www.daemonsecurity.com/src/ip-rules.pl
Go ahead and hack it to create the rules you need.
Cheers, Erik
-- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
