On Saturday 27 August 2005 07:29 pm, [EMAIL PROTECTED] wrote:
> I'm curious about this bit - what do you do about accidentally mistyped
> usernames by valid users?
Have users do this:
$ cat >> .ssh/config
Host paranoidhost
Hostname paranoid.example.com
User getthisright
I'm seeing those as well. The connection attempts are harmless, but
annoying, since they fill up the logs.
I decided to "solve" the problem by restricting the IP range that can
access my sshd to the class-A blocks that are most commonly used in my
country. Maybe it's not a truly elegant solution,
On 8/27/05, [EMAIL PROTECTED]
<[EMAIL PROTECTED]> wrote:
> > if this server was used by 100+ people i would of course not have such a
> > harsh security script set up. everyone who uses it has great experience
> > and understands the consequences. like i said before, this is usually
> > for persona
> if this server was used by 100+ people i would of course not have such a
> harsh security script set up. everyone who uses it has great experience
> and understands the consequences. like i said before, this is usually
> for personal use and has about 12 users total. if this was used to
> man
if this server was used by 100+ people i would of course not have such a
harsh security script set up. everyone who uses it has great experience
and understands the consequences. like i said before, this is usually
for personal use and has about 12 users total. if this was used to
manage ssh on
> -if the attempt was with a username that doesnt exist - i add the ip to
> a db of banned ips and flush and restart ipfw
I'm curious about this bit - what do you do about accidentally mistyped
usernames by valid users?
cheers,
-- Joel Hatton --
Security Analyst| Hotline: +61
I also get a large amount of atttacks via ssh, i decided that the people
who have access to my server (only 12) know what their usernames are. my
decision was to set up a swatch script to monitor the types of errors
that are picked up in the logs:
-if the attempt was with a username that doesn
Sent: Tuesday, August 23, 2005 9:27 PM
> To: FreeBSD Questions
> Subject: Re: Illegal access attempt - FreeBSD 5.4 Release - please advise
>
> It's not that big of a deal...they didn't get in or anything. If
> you've got a server that's always connected to the intern
> On Fri, 26 Aug 2005 00:24:48 +0200
> Maarten Sanders <[EMAIL PROTECTED]> wrote:
>
> > Nice suggestion, but how do I enable tcp_wrappers with sshd?
>
> from
> http://lists.freebsd.org/pipermail/freebsd-security/2004-September/002351.htm
> l
>
> in /usr/src/crypto/openssh/config.h
> find the lin
On Fri, 26 Aug 2005 00:24:48 +0200
Maarten Sanders <[EMAIL PROTECTED]> wrote:
> Nice suggestion, but how do I enable tcp_wrappers with sshd?
from
http://lists.freebsd.org/pipermail/freebsd-security/2004-September/002351.html
in /usr/src/crypto/openssh/config.h
find the line :
/* Define if you wa
On Thu, 2005-08-25 at 07:22 -0400, Lee Capps wrote:
> On 11:18 Wed 24 Aug , Chris St Denis wrote:
> > How can I easily auto deny after x failed attempts? Is this an sshd setting?
> > I could find it.
> >
> > Is there something in ports that will firewall off somebody who is brute
> > forcing?
"Chris St Denis" <[EMAIL PROTECTED]> writes:
> How can I easily auto deny after x failed attempts? Is this an sshd setting?
> I could find it.
>
> Is there something in ports that will firewall off somebody who is brute
> forcing?
With PF, it's fairly easy to set up with max-src-conn, max-src-con
On 11:18 Wed 24 Aug , Chris St Denis wrote:
> How can I easily auto deny after x failed attempts? Is this an sshd setting?
> I could find it.
>
> Is there something in ports that will firewall off somebody who is brute
> forcing?
In addition to adding entries to /etc/hosts.allow you could try
, August 23, 2005 9:27 PM
To: FreeBSD Questions
Subject: Re: Illegal access attempt - FreeBSD 5.4 Release - please advise
It's not that big of a deal...they didn't get in or anything. If
you've got a server that's always connected to the internet, you'll
see people trying to br
On 8/24/05, ro ro <[EMAIL PROTECTED]> wrote:
> Hi All,
>
> I was browsing through my log files and noticed that
> someone (or many people) is trying to gain illegal
> access to my server (see snippet from log files
> below).
>
> The below log file clearly indicates someone trying to
> hackaway at
On Tue, 23 Aug 2005 21:22:34 -0700 (PDT)
ro ro <[EMAIL PROTECTED]> wrote:
> I took the issue of creating a good firewall quite
> lightly and now I regret that decision.. now I have
> learnt... Can someone provide me with guidance on this
> issue and advise me on next steps to take action
> against
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Michael Dale
> Sent: Wednesday, August 24, 2005 4:40 AM
> To: Hornet
> Cc: ro ro; freebsd-questions@freebsd.org
> Subject: Re: Illegal access attempt - FreeBSD 5.4 Relea
i usually run a swatch script to monitor ssh login attempts and deny
them via ipfw - most of them are addresses from people running linux
trying to bruteforce there way in - the list can get pretty long.
also whats most funny is that alot of those people try windows server
exploits on me d
On 8/24/05, Michael Dale <[EMAIL PROTECTED]> wrote:
>
> >Also, most if not all of the blocks below are Asia netblocks that I
> >have had more then 3 attempts to gain access to my servers.
> >
> >220.0.0.0/8
> >202.0.0.0/7
> >134.208.0.0/16
> >218.0.0.0/8
> >210.0.0.0/7
> >221.0.0.0/8
> >219.0.0.0/
>Also, most if not all of the blocks below are Asia netblocks that I
>have had more then 3 attempts to gain access to my servers.
>
>220.0.0.0/8
>202.0.0.0/7
>134.208.0.0/16
>218.0.0.0/8
>210.0.0.0/7
>221.0.0.0/8
>219.0.0.0/8
>195.116.0.0/16
>59.0.0.0/8
>195.133.91.0/24
>222.0.0.0/8
>
>
>
Not al
On 8/24/05, ro ro <[EMAIL PROTECTED]> wrote:
> Hi All,
>
> I was browsing through my log files and noticed that
> someone (or many people) is trying to gain illegal
> access to my server (see snippet from log files
> below).
>
> The below log file clearly indicates someone trying to
> hackaway at
It's not that big of a deal...they didn't get in or anything. If
you've got a server that's always connected to the internet, you'll
see people trying to break in all the time. The more popular your
server, the more frequent the attempts. This is just someone trying
to log in via SSH - so as lon
22 matches
Mail list logo
