[H-GEN] Blocking SSH exploits
gjb at gbch.net
Sun Aug 22 20:06:43 EDT 2004
On 2004-08-22, Sarah Walters wrote:
> In the daily security report generated by our FreeBSD box, we've been
> getting a lot of messages like the following lately:
> tempus.walters.id.au login failures:
> Aug 21 09:07:25 tempus sshd: Failed password for root from
> 188.8.131.52 port 39247 ssh2
I've been seeing these regularly since 25 July.
> By the way, we are thinking that it would be nice to be able to block
> IPs that make any such attempts automatically, probably for about 10
> minutes. Does anyone know how to do this, and would it be worthwhile trying?
It would be a SMOP to watch the logs, grab IPs, and add rules to
ipfw to block and log them. If you then had a cron job to sweep
your logs at some interval to watch for further incidents, you
could delete the rules if you thought they had gone away. I
don't do this, so I haven't got the script to offer; but it will
be easy to do if you want to go that way.
In my case, I only allow ssh from outside to one account and I
am the only person who knows what combination of password and
key works with it. And I keep my ssh daemons up to date.
More information about the General