Gene wrote:
Over the past few months there have been a remarkably high level of brute force attacks logged by sshd. I was wondering, is there a way that sshd (or some other package) can monitor login attempts and if more than say 5 or 6 attempts are made to login from a particular ip address, temporarily block that address (perhaps at the firewall)? It'd be real satisfying to just dump the attackers' packets to the bit bucket and slow 'em down a bit.
yeah, I have experienced exactly the same thing. I think I may write a simple daemon perl script that watches the tail of auth.log for some of this crap and installs firewalls ad-hoc.
Here's a (very, very small) dump from /var/log/auth.og
Jan 8 06:11:22 fusion sshd[43967]: Failed password for root from 64.246.44.130 port 54213 ssh2
Jan 8 06:11:22 fusion sshd[43969]: Failed password for root from 64.246.44.130 port 54219 ssh2
Jan 8 06:11:22 fusion sshd[43971]: Illegal user webmaster from 64.246.44.130
Jan 8 06:11:22 fusion sshd[43973]: Illegal user data from 64.246.44.130
Jan 8 06:11:23 fusion sshd[43975]: Illegal user user from 64.246.44.130
Jan 8 06:11:23 fusion sshd[43977]: Illegal user user from 64.246.44.130
Jan 8 06:11:23 fusion sshd[43979]: Illegal user user from 64.246.44.130
Jan 8 06:11:23 fusion sshd[43981]: Illegal user web from 64.246.44.130
Jan 8 06:11:24 fusion sshd[43983]: Illegal user web from 64.246.44.130
Jan 8 06:11:24 fusion sshd[43985]: Illegal user oracle from 64.246.44.130
Jan 8 06:11:24 fusion sshd[43987]: Illegal user sybase from 64.246.44.130
Jan 8 06:11:24 fusion sshd[43989]: Illegal user master from 64.246.44.130
Jan 8 06:11:25 fusion sshd[43991]: Illegal user account from 64.246.44.130
Jan 8 06:11:25 fusion sshd[43993]: Illegal user backup from 64.246.44.130
Jan 8 06:11:25 fusion sshd[43995]: Illegal user server from 64.246.44.130
Jan 8 06:11:25 fusion sshd[43998]: Illegal user adam from 64.246.44.130
Jan 8 06:11:26 fusion sshd[44000]: Illegal user alan from 64.246.44.130
Jan 8 06:11:26 fusion sshd[44002]: Illegal user frank from 64.246.44.130
Jan 8 06:11:26 fusion sshd[44004]: Illegal user george from 64.246.44.130
Jan 8 06:11:26 fusion sshd[44006]: Illegal user henry from 64.246.44.130
Jan 8 06:11:26 fusion sshd[44008]: Failed password for john from 64.246.44.130 port 54348 ssh2
Interestingly, 64.246.44.130 is within the IP range of ev1servers.net which is where my BSD machine is located.
..... FUCKERS.
:(
_______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
