Re: Please Help! How to STOP them...
On 15 янв. 2007, at 19:05, Oliver Fromme wrote: Gerard Seibert wrote: Reko Turja wrote: Moving your sshd port somewhere else than 22 - the prepackaged "cracking" programs don't scan ports, just blindly try out the default port - with determined/skilled attacker it's different matter entirely though. Security through Obscurity is not true security at all. You are simply assuming that other ports are not being scanned. I don't think he's assuming that. He is just suggesting an effective solution to the problem that hundreds of failed login attempts are filling the OP's logs and cron mails. He didn't claim that it increases security. In fact, I would also recommend to move the ssh service from port 22 to a different, non-standard port if possible. If you want, you can even have the sshd daemon listen on _both_ port 22 _and_ your non-standard port 122, and limit access to port 22 to a few well-known IP addresses, using a packet filter. That way you diminish the usual "blind" attempts on port 22, but you can still login using the non-standard port if you happen to come from an unknown IP address, so you don't lock yourself out. Of course, it is important to understand that changing the port number will not significantly increase security. However, it might give you a slight advance when yet another ssh security bug is discovered and exploits start circulating while you're asleep. Usually the first exploits are quick and dirty hacks which have port 22 hardcoded, and most script kiddies who blindly scan random networks don't have enough clue to change it. ;-) Of course, you still need to patch or update your sshd as quickly as possible if necessary, and you still need to use good passwords, or -- even better -- don't use passwords at all, but use key-based authentication. Another thing that might be useful are one-time passwords (OPIE), especially when you're connection from a foreign client such as a public terminal. Best regards Oliver It is quite correct but too paranoic. You may consider trying to use security/bruteblock or security/bruteforceblocker. These programs are very easy to configure and give you notifications on ssh bruteforce attacks. -- AIM-UANIC | AIM-RIPE +-[ FreeBSD ]-+ Alexander Mogilny | The Power to Serve! | <> [EMAIL PROTECTED] +-+ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Please Help! How to STOP them...
Gerard Seibert wrote: > Reko Turja wrote: > > Moving your sshd port somewhere else than 22 - the prepackaged > > "cracking" programs don't scan ports, just blindly try out the default > > port - with determined/skilled attacker it's different matter entirely > > though. > > Security through Obscurity is not true security at all. You are simply > assuming that other ports are not being scanned. I don't think he's assuming that. He is just suggesting an effective solution to the problem that hundreds of failed login attempts are filling the OP's logs and cron mails. He didn't claim that it increases security. In fact, I would also recommend to move the ssh service from port 22 to a different, non-standard port if possible. If you want, you can even have the sshd daemon listen on _both_ port 22 _and_ your non-standard port 122, and limit access to port 22 to a few well-known IP addresses, using a packet filter. That way you diminish the usual "blind" attempts on port 22, but you can still login using the non-standard port if you happen to come from an unknown IP address, so you don't lock yourself out. Of course, it is important to understand that changing the port number will not significantly increase security. However, it might give you a slight advance when yet another ssh security bug is discovered and exploits start circulating while you're asleep. Usually the first exploits are quick and dirty hacks which have port 22 hardcoded, and most script kiddies who blindly scan random networks don't have enough clue to change it. ;-) Of course, you still need to patch or update your sshd as quickly as possible if necessary, and you still need to use good passwords, or -- even better -- don't use passwords at all, but use key-based authentication. Another thing that might be useful are one-time passwords (OPIE), especially when you're connection from a foreign client such as a public terminal. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. cat man du : where Unix geeks go when they die ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Please Help! How to STOP them...
On Mon, 15 Jan 2007 10:53:47 +1100
Norberto Meijome <[EMAIL PROTECTED]> wrote:
> I would add to limit the number of passwords retries - so if they want to
> hammer you, at least they'll have to try a new connection. Of course, this
> leaves you open to a DOS ... but , well, i guess you are still open to that
> the second you're on the net :)
dont forget that the fallback between keyboard-auth and key based auth counts
as a failure, so make sure you have at least 2 failures allowed.
_
{Beto|Norberto|Numard} Meijome
"Quality is never an accident, it is always the result of intelligent effort."
John Ruskin (1819-1900)
I speak for myself, not my employer. Contents may be hot. Slippery when wet.
Reading disclaimers makes you go blind. Writing them is worse. You have been
Warned.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Please Help! How to STOP them...
On Sun, 14 Jan 2007 15:39:30 +0100
Erik Norgaard <[EMAIL PROTECTED]> wrote:
> - enforce key authentication
From memory, you still get the 'user unknown' messages if you have only key
auth.
> - restrict access to certain users or groups of users
I would say, idem here.
> - deny direct access as root
this is obvious...and a default in BSD (i dont think it's a default in some
(most?) linux distros though)
> - enforce strong passwords, if you can't enforce key authentication
> - limit the ip address space that is allowed to connect, to the space
>where you or your users are likely to be
> - limit the number of simultaneous unauthenticated connections
I would add to limit the number of passwords retries - so if they want to
hammer you, at least they'll have to try a new connection. Of course, this
leaves you open to a DOS ... but , well, i guess you are still open to that the
second you're on the net :)
Moving the default tcp port to other than the default WILL disminish the
attempts - it will NOT PROVIDE YOU WITH EXTRA SECURITY AT ALL , so you still
should configure key auth + limit users + deny root, etc.
_
{Beto|Norberto|Numard} Meijome
"Everything should be made as simple as possible, but not simpler."
Albert Einstein
I speak for myself, not my employer. Contents may be hot. Slippery when wet.
Reading disclaimers makes you go blind. Writing them is worse. You have been
Warned.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Please Help! How to STOP them...
VeeJay wrote: I am reading many hundred lines similar to below mentioned? Could you please advise me what to do and how can I make my box more secure? Jan 9 17:54:42 localhost sshd[5130]: reverse mapping checking getaddrinfo for bbs-83-179.189.218.on-nets.com [218.189.179.83] failed - POSSIBLE BREAK-IN ATTEMPT! Jan 9 17:54:42 localhost sshd[5130]: Invalid user sysadmin from 218.189.179.83 Please, this is possibly the most frequently asked question not in the FAQ. Understand that whenever you make a service available on the internet, someone is going to try to break in. Be it ssh, smtp, dns, http etc. What you need to learn is to identify which attacks constitute a real threat to your system. The first log entry is no sign of break in attempt. Just because a DNS server is misconfigured doesn't mean that people are trying to attack you. The second line is evidence that some illicit events are recorded. But, there is no reason to worry about these if you have properly configured your box. Please search the archives for ssh brute force - this topic has been discussed a zillion times. Some mention port knocking. This doesn't make people stop trying to get into your box. It introduces an extra hazle to do so as you first have to knock on the port a secret (but shared secret) sequence. Then you will authenticate as previously. If you are troubled with messages in your log, there are plenty of ordinary things you can do: - enforce key authentication - restrict access to certain users or groups of users - deny direct access as root - enforce strong passwords, if you can't enforce key authentication - limit the ip address space that is allowed to connect, to the space where you or your users are likely to be - limit the number of simultaneous unauthenticated connections Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org smime.p7s Description: S/MIME Cryptographic Signature
Re: Please Help! How to STOP them...
On Fri, 12 Jan 2007 15:53:04 -0800
Jay Chandler <[EMAIL PROTECTED]> wrote:
> Please, please, PLEASE RTFM. If that's too much to ask, try taking a
> class, hiring a consultant, or using a more user-friendly OS.
I have been a user of FreeBSD for 8 years and it is very friendly to
me...not sure what you mean :) (yes, 'user-friendliness' is one of those
pejorative terms that assume the user is a lesser mind than ... ours? i
dont know...
I am not taking offense, just point out something which seems quite
engrained in our way of thinking (or pushed by the M$ marketing folks ;) )...
Anyway, I do agree with Jay tells VJ - I told VJ as much on a private email
(he/she direclty emailed me to start).
best,
_
{Beto|Norberto|Numard} Meijome
"The only good bureaucrat is one with a pistol at his head.
Put it in his hand and it's goodbye to the Bill of Rights."
H.L. Mencken
I speak for myself, not my employer. Contents may be hot. Slippery when wet.
Reading disclaimers makes you go blind. Writing them is worse. You have been
Warned.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Please Help! How to STOP them...
Jay Chandler <[EMAIL PROTECTED]> writes: > Please, please, PLEASE RTFM. If that's too much to ask, try taking a > class, hiring a consultant, or using a more user-friendly OS. FreeBSD *is* user friendly. The simple (and fun to watch!) solution involves using PF (not sure if this can be easily done with the other firewalls FreeBSD has on tap) with 'overload' rules, ie http://home.nuug.no/~peter/pf/en/bruteforce.html -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Please Help! How to STOP them...
Hiee, Greetings, I tried port knocking thing with Linux box, Port knocking is a technique whereby attempting to connect to port A enables access to port B from that same host. Port knocking can be the solution for this. Tried with Linux iptables only, I wonder if the similar thing can be done on beastie IPF, I am very new with FreeBSD. But port knocking on Linux I tried and worked well. For a basic layout I am giving this link(this is based on Iptables - but can give a basic layout for implementing the same thing on Beastie). http://www.soloport.com/iptables.html Anuj On Fri, 2007-01-12 at 22:43 +0100, VeeJay wrote: > I am reading many hundred lines similar to below mentioned? > > Could you please advise me what to do and how can I make my box more secure? > > Jan 9 17:54:42 localhost sshd[5130]: reverse mapping checking getaddrinfo > for bbs-83-179.189.218.on-nets.com [218.189.179.83] failed - POSSIBLE > BREAK-IN ATTEMPT! > Jan 9 17:54:42 localhost sshd[5130]: Invalid user sysadmin from > 218.189.179.83 > signature.asc Description: This is a digitally signed message part
Re: Please Help! How to STOP them...
VeeJay wrote: I am reading many hundred lines similar to below mentioned? Could you please advise me what to do and how can I make my box more secure? Jan 9 17:54:42 localhost sshd[5130]: reverse mapping checking getaddrinfo for bbs-83-179.189.218.on-nets.com [218.189.179.83] failed - POSSIBLE BREAK-IN ATTEMPT! Jan 9 17:54:42 localhost sshd[5130]: Invalid user sysadmin from 218.189.179.83 VeeJay, you've asked several questions now to this list that are very simple to solve with even a minimal amount of reading through Google. Some people more generous than I have given you the answers, which are are immediately met with further questions, most of which are answered in the first part of the man page for the relevant program. I, and I suspect other posters on this list, have little interest in reading Unix for Dummies to you. Technical questions about specific failures are one thing, but you're asking things that are covered in any decent Unix / FreeBSD book. Heck, you can even get the FreeBSD Handbook for free online. Please, please, PLEASE RTFM. If that's too much to ask, try taking a class, hiring a consultant, or using a more user-friendly OS. -- Jay Chandler Network Administrator, Chapman University 714.628.7249 / [EMAIL PROTECTED] Today's Excuse: Incorrectly configured static routes on the corerouters. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Please Help! How to STOP them...
On Friday January 12, 2007 at 04:54:37 (PM) Reko Turja wrote: > >I am reading many hundred lines similar to below mentioned? > > > > Could you please advise me what to do and how can I make my box more > > secure? > > > > Jan 9 17:54:42 localhost sshd[5130]: reverse mapping checking > > getaddrinfo > > for bbs-83-179.189.218.on-nets.com [218.189.179.83] failed - > > POSSIBLE > > BREAK-IN ATTEMPT! > > Jan 9 17:54:42 localhost sshd[5130]: Invalid user sysadmin from > > 218.189.179.83 > > It's basically just script kiddies trying to get in using some ready > made user/password pairs. > > Lots of info covering this has been posted in these newsgroups > previously, but some things you might consider > > Moving your sshd port somewhere else than 22 - the prepackaged > "cracking" programs don't scan ports, just blindly try out the default > port - with determined/skilled attacker it's different matter entirely > though. Security through Obscurity is not true security at all. You are simply assuming that other ports are not being scanned. > > Use some kind of portblocker (lots in ports tree) which closes the > port after predetermined number of attempts - or as an alternative, > use PF to close the port for IP's in question after predetermined > number of connection attempts in given time. > > Use key based authentication and stop using passwords altogether. A very secure method. I would recommend this along with making sure your firewall is properly configured and all unnecessary ports closed, etc. > > Remember to keep ssh1 disabled as well as direct root access into ssh > from the ssh config file. -- Gerard For GOOGLE (L)Users: "RAM Disk" is not an installation procedure. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Please Help! How to STOP them...
On Friday, January 12, 2007, at 01:34PM, "VeeJay" <[EMAIL PROTECTED]> wrote: >What do you mean here? > >Remember to keep ssh1 disabled as well as direct root access into ssh >> from the ssh config file. > > >How to disable SSH1 and How to stop direct root access into ssh, where to >change? Sounds like you have some reading to do. Start here: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/securing-freebsd.html http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/openssh.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Please Help! How to STOP them...
What should be ENABLED and what should be DISABLED? # $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $ # $FreeBSD: src/crypto/openssh/sshd_config,v 1.42.2.4 2006/11/11 00:51:28 des Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. # Note that some of FreeBSD's defaults differ from OpenBSD's, and # FreeBSD has a few additional options. #VersionAddendum FreeBSD-20061110 #Port 22 #Protocol 2 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 768 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin no #StrictModes yes #MaxAuthTries 6 #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # Change to yes to enable built-in password authentication. #PasswordAuthentication no #PermitEmptyPasswords no # Change to no to disable PAM authentication #ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes # Set this to 'no' to disable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no # no default banner path #Banner /some/path # override default of no subsystems Subsystem sftp/usr/libexec/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server What steps need to follow? On 1/12/07, VeeJay <[EMAIL PROTECTED]> wrote: Thanks Reko Just couple of more questions... On 1/12/07, Reko Turja <[EMAIL PROTECTED]> wrote: > > From: "VeeJay" <[EMAIL PROTECTED]> > To: < [EMAIL PROTECTED]>; "FreeBSD-Questions" > > Sent: Friday, January 12, 2007 11:43 PM > Subject: Please Help! How to STOP them... > > > >I am reading many hundred lines similar to below mentioned? > > > > Could you please advise me what to do and how can I make my box more > > secure? > > > > Jan 9 17:54:42 localhost sshd[5130]: reverse mapping checking > > getaddrinfo > > for bbs-83-179.189.218.on-nets.com [218.189.179.83] failed - > > POSSIBLE > > BREAK-IN ATTEMPT! > > Jan 9 17:54:42 localhost sshd[5130]: Invalid user sysadmin from > > 218.189.179.83 > > It's basically just script kiddies trying to get in using some ready > made user/password pairs. > > Lots of info covering this has been posted in these newsgroups > previously, but some things you might consider > > Moving your sshd port somewhere else than 22 - the prepackaged > "cracking" programs don't scan ports, just blindly try out the default > port - with determined/skilled attacker it's different matter entirely > though. How to change the port from 22 to something other and in what range should I choose a number? Use some kind of portblocker (lots in ports tree) which closes t
Re: Please Help! How to STOP them...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 VeeJay wrote: > Thanks Reko > > Just couple of more questions... > > > On 1/12/07, Reko Turja <[EMAIL PROTECTED]> wrote: >> >> From: "VeeJay" <[EMAIL PROTECTED]> >> To: <[EMAIL PROTECTED]>; "FreeBSD-Questions" >> >> Sent: Friday, January 12, 2007 11:43 PM >> Subject: Please Help! How to STOP them... >> >> >> >I am reading many hundred lines similar to below mentioned? >> > >> > Could you please advise me what to do and how can I make my box more >> > secure? >> > >> > Jan 9 17:54:42 localhost sshd[5130]: reverse mapping checking >> > getaddrinfo >> > for bbs-83-179.189.218.on-nets.com [218.189.179.83] failed - >> > POSSIBLE >> > BREAK-IN ATTEMPT! >> > Jan 9 17:54:42 localhost sshd[5130]: Invalid user sysadmin from >> > 218.189.179.83 >> >> It's basically just script kiddies trying to get in using some ready >> made user/password pairs. >> >> Lots of info covering this has been posted in these newsgroups >> previously, but some things you might consider >> >> Moving your sshd port somewhere else than 22 - the prepackaged >> "cracking" programs don't scan ports, just blindly try out the default >> port - with determined/skilled attacker it's different matter entirely >> though. > > > How to change the port from 22 to something other and in what range > should I > choose a number? > > > Use some kind of portblocker (lots in ports tree) which closes the >> port after predetermined number of attempts - or as an alternative, >> use PF to close the port for IP's in question after predetermined >> number of connection attempts in given time. > > > Can you suggest such port which I should install to block these attempts? > > Use key based authentication and stop using passwords altogether. > > > What do you mean here? > > Remember to keep ssh1 disabled as well as direct root access into ssh >> from the ssh config file. > > > How to disable SSH1 and How to stop direct root access into ssh, where to > change? > > -Reko Read man sshd_config. - -Garrett -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.1 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFqA4GEnKyINQw/HARAvRYAJ9f84lZRiAGAU66CtsvaSaKjvgHBwCfYnHY kQ04KF5kowf+AdX6SGF2Uic= =S546 -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Please Help! How to STOP them...
Thanks Reko Just couple of more questions... On 1/12/07, Reko Turja <[EMAIL PROTECTED]> wrote: From: "VeeJay" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; "FreeBSD-Questions" Sent: Friday, January 12, 2007 11:43 PM Subject: Please Help! How to STOP them... >I am reading many hundred lines similar to below mentioned? > > Could you please advise me what to do and how can I make my box more > secure? > > Jan 9 17:54:42 localhost sshd[5130]: reverse mapping checking > getaddrinfo > for bbs-83-179.189.218.on-nets.com [218.189.179.83] failed - > POSSIBLE > BREAK-IN ATTEMPT! > Jan 9 17:54:42 localhost sshd[5130]: Invalid user sysadmin from > 218.189.179.83 It's basically just script kiddies trying to get in using some ready made user/password pairs. Lots of info covering this has been posted in these newsgroups previously, but some things you might consider Moving your sshd port somewhere else than 22 - the prepackaged "cracking" programs don't scan ports, just blindly try out the default port - with determined/skilled attacker it's different matter entirely though. How to change the port from 22 to something other and in what range should I choose a number? Use some kind of portblocker (lots in ports tree) which closes the port after predetermined number of attempts - or as an alternative, use PF to close the port for IP's in question after predetermined number of connection attempts in given time. Can you suggest such port which I should install to block these attempts? Use key based authentication and stop using passwords altogether. What do you mean here? Remember to keep ssh1 disabled as well as direct root access into ssh from the ssh config file. How to disable SSH1 and How to stop direct root access into ssh, where to change? -Reko -- Thanks! BR / vj ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Please Help! How to STOP them...
From: "VeeJay" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; "FreeBSD-Questions" Sent: Friday, January 12, 2007 11:43 PM Subject: Please Help! How to STOP them... I am reading many hundred lines similar to below mentioned? Could you please advise me what to do and how can I make my box more secure? Jan 9 17:54:42 localhost sshd[5130]: reverse mapping checking getaddrinfo for bbs-83-179.189.218.on-nets.com [218.189.179.83] failed - POSSIBLE BREAK-IN ATTEMPT! Jan 9 17:54:42 localhost sshd[5130]: Invalid user sysadmin from 218.189.179.83 It's basically just script kiddies trying to get in using some ready made user/password pairs. Lots of info covering this has been posted in these newsgroups previously, but some things you might consider Moving your sshd port somewhere else than 22 - the prepackaged "cracking" programs don't scan ports, just blindly try out the default port - with determined/skilled attacker it's different matter entirely though. Use some kind of portblocker (lots in ports tree) which closes the port after predetermined number of attempts - or as an alternative, use PF to close the port for IP's in question after predetermined number of connection attempts in given time. Use key based authentication and stop using passwords altogether. Remember to keep ssh1 disabled as well as direct root access into ssh from the ssh config file. -Reko ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Please Help! How to STOP them...
In response to VeeJay <[EMAIL PROTECTED]>: > I am reading many hundred lines similar to below mentioned? > > Could you please advise me what to do and how can I make my box more secure? > > Jan 9 17:54:42 localhost sshd[5130]: reverse mapping checking getaddrinfo > for bbs-83-179.189.218.on-nets.com [218.189.179.83] failed - POSSIBLE > BREAK-IN ATTEMPT! > Jan 9 17:54:42 localhost sshd[5130]: Invalid user sysadmin from > 218.189.179.83 Somebody is trying to break in to your system: In order to stop the messages, disconnect the system from the Internet, the attacker will then be unable to reach it. There are, however, less drastic workarounds. An exercise with google will turn up a number of programs that will reduce the problem to a manageable level. This topic comes up about once a week on this list alone. -- Bill Moran Collaborative Fusion Inc. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Please Help! How to STOP them...
I am reading many hundred lines similar to below mentioned? Could you please advise me what to do and how can I make my box more secure? Jan 9 17:54:42 localhost sshd[5130]: reverse mapping checking getaddrinfo for bbs-83-179.189.218.on-nets.com [218.189.179.83] failed - POSSIBLE BREAK-IN ATTEMPT! Jan 9 17:54:42 localhost sshd[5130]: Invalid user sysadmin from 218.189.179.83 -- Thanks! BR / vj ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
