Re: machine hangs on occasion - correlated with ssh break-in attempts

Mikhail Teterin pisze:

A machine I manage remotely for a friend comes under a distributed ssh break-in attack every once in a while. Annoyed (and alarmed) by the messages like:

Aug 12 10:21:17 symbion sshd[4333]: Invalid user mythtv from
Aug 12 10:21:18 symbion sshd[4335]: Invalid user mythtv from
Aug 12 10:21:20 symbion sshd[4337]: Invalid user mythtv from
Aug 12 10:21:21 symbion sshd[4339]: Invalid user mythtv from

I wrote an awk-script, which adds a block of the attacking IP-address to the ipfw-rules after three such "invalid user" attempts with:

ipfw add 550 deny ip from ip

The script is fed by syslogd directly -- through a syslog.conf rule ("|/opt/sbin/auth-log-watch").


You should look at 'bruteblock' (ports/security), it has similar fuctionality. It also provides daemon process, bruteblockd, which is
responsible for removing entries from ipfw table.

Best regards,
_/_/ .. Eugene Butusov
_/_/ ...
_/_/ .... ebutusov(at)gmail(dot)com
freebsd-security@xxxxxxxxxxx mailing list
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"