bsd.m3th.org
Yet another *nix admin blog

Although it is not a usual task for replacing/upgrading notebook internal hdd, nevertheless, I have performed one lately due to a failing hdd. smartctl reported hdd read failure and I have decided to make an early replacement. However, I still need to duplicate the hdd for recent data that has not been backup.

Cloning the hdd seems not a good option as it takes longer time and might fail to completely replicate the data due to hdd read failure. So I reinstalled OpenSUSE on the new hdd and restore relevant data on partition.

Default lvm volume group naming convention from OpenSUSE installer is somehow same as previous volume group. This will create problem when accessing data on failing hdd as I need to mount partition on lvm volume group which is same as running system. You should change the volume group name to something else other than “system” during the installation. Guess I didn’t paid too much attention during the installation and now I have 2 “system” volume groups. How should I mount the volume on failing hdd then?

Actually it is just an easy task of renaming volume group name.

1) Discover the UUID of the volume with dd by dumping the disk header.

dd if=/dev/sdb2 bs=512 count=255 skip=1 of=/tmp/sdb2.txt


Checking the output for disk UUID.

cat /tmp/sdb2.txt


You will find some thing like this.

system {
id = "8SX5aX-gQZJ-auYA-UX54-BkBA-nc4V-rNoV6v"
seqno = 6
status = ["RESIZEABLE", "READ", "WRITE"]
flags = []
extent_size = 8192
max_lv = 0
max_pv = 0

physical_volumes {

pv0 {
id = "dAe8PS-ThIN-Piez-pmqE-8hUv-vdGM-dyvtSO"
device = "/dev/sda2"

status = ["ALLOCATABLE"]
flags = []
dev_size = 487845855
pe_start = 384
pe_count = 59551
}
}

logical_volumes {

home {
id = "hQH10J-MouP-sNok-VNJN-53As-BYsw-b5cqS3"
status = ["READ", "WRITE", "VISIBLE"]
flags = []
segment_count = 1

segment1 {
start_extent = 0
extent_count = 50847

type = "striped"
stripe_count = 1        # linear

stripes = [
"pv0", 0
]
}
}

root {
id = "nde2YD-6rgk-Ufm7-bLf7-ERTc-bHdO-kg7fwF"
status = ["READ", "WRITE", "VISIBLE"]
flags = []
segment_count = 1

segment1 {
start_extent = 0
extent_count = 7680

type = "striped"
stripe_count = 1        # linear

stripes = [
"pv0", 51359
]
}
}

swap {
id = "KXGiD4-qFSH-smun-P4wS-TH14-xxfY-lWYlq8"
status = ["READ", "WRITE", "VISIBLE"]
flags = []
segment_count = 2

segment1 {
start_extent = 0
extent_count = 512

type = "striped"
stripe_count = 1        # linear

stripes = [
"pv0", 59039
]
}
segment2 {
start_extent = 512
extent_count = 512

type = "striped"
stripe_count = 1        # linear

stripes = [
"pv0", 50847
]
}
}
}
}

The UUID of the volume group “system” is “8SX5aX-gQZJ-auYA-UX54-BkBA-nc4V-rNoV6v”

2) Renaming the volume group
vgrename 8SX5aX-gQZJ-auYA-UX54-BkBA-nc4V-rNoV6v oldsystem

3) Activate the renamed volume group

# vgchange oldsystem -a y


Now you should have your vg ready. Verify it with

# pvscan


Output

  PV /dev/sdb2   VG oldsystem      lvm2 [232.62 GiB / 0    free]
  PV /dev/sda2   VG system   lvm2 [297.93 GiB / 23.93 GiB free]
  Total: 2 [530.55 GiB] / in use: 2 [530.55 GiB] / in no VG: 0 [0   ]

Check the volume

# lvscan


  ACTIVE            '/dev/oldsystem/home' [198.62 GiB] inherit
  ACTIVE            '/dev/oldsystem/root' [30.00 GiB] inherit
  ACTIVE            '/dev/oldsystem/swap' [4.00 GiB] inherit
  ACTIVE            '/dev/system/home' [250.00 GiB] inherit
  ACTIVE            '/dev/system/root' [20.00 GiB] inherit
  ACTIVE            '/dev/system/swap' [4.00 GiB] inherit

That’s it. You can now mount and dump/restore the failing hdd.

Tried to upgrade my FreeBSD system to 9.0-RC2, pending 9.0-RELEASE, but stumped upon this error.

The update metadata is correctly signed, but failed an integrity check. Cowardly refusing to proceed any further.

Obviously, I missed out the official announcement that a small patch is needed.

sed -i '' -e 's/=_/=%@_/' /usr/sbin/freebsd-update

With that, you can proceed with upgrade. Hex (development halted for almost 2 years. We are reviving it. Sorry mates!) build will be based on FreeBSD 9.0.

I have been plagued by ssh problem since openssh 5.8p1 on OpenSuSE 11.4. Without any warning, even debug level is set to 3, ssh connection to older router/server is dropped silently. I have issue ssh’ing to AMD64 FreeBSD 8.2-RELEASE which comes with OpenSSH 5.4p1.

chflags@zeus:~> ssh -v 10.0.48.61 -l kevin
OpenSSH_5.8p1, OpenSSL 1.0.0c 2 Dec 2010
debug1: Reading configuration data /home/chflags/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 10.0.48.61 [10.0.48.61] port 22.
debug1: Connection established.
debug1: identity file /home/chflags/.ssh/id_rsa type -1
debug1: identity file /home/chflags/.ssh/id_rsa-cert type -1
debug1: identity file /home/chflags/.ssh/id_dsa type -1
debug1: identity file /home/chflags/.ssh/id_dsa-cert type -1
debug1: identity file /home/chflags/.ssh/id_ecdsa type -1
debug1: identity file /home/chflags/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.4p1 FreeBSD-20100308
debug1: match: OpenSSH_5.4p1 FreeBSD-20100308 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
Read from socket failed: Connection reset by peer

With some internet searching, I'm not the only one who's got bitten by this bug :p
Openssh dev: http://www.gossamer-threads.com/lists/engine?do=post_view_flat;post=51339;page=1;mh=-1;list=openssh;sb=post_latest_reply;so=ASC
Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=612607
Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/708493
Arch Linux: https://bugs.archlinux.org/task/22897?project=1

WORKAROUNDS
1) Downgrade openssh to version 5.5p1 or lower or better still upgrade to version 5.8p2 or wait for future release of 5.9p1

2) Add "-c 'aes128-ctr'" when connecting to router/server with older version of ssh.

3) Add to ~/.ssh/config. HostKeyAlgorithms ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss. (I personally couldn't get this work. Can't verify this. You can try it though.)

Once you use one of the workarounds, you should be able to connect to old router/servers. For instance, with workaround 2:-

chflags@zeus:~> ssh -v 10.0.48.61 -c 'aes128-ctr'
OpenSSH_5.8p1, OpenSSL 1.0.0c 2 Dec 2010
debug1: Reading configuration data /home/chflags/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 10.0.48.61 [10.0.48.61] port 22.
debug1: Connection established.
debug1: identity file /home/chflags/.ssh/id_rsa type -1
debug1: identity file /home/chflags/.ssh/id_rsa-cert type -1
debug1: identity file /home/chflags/.ssh/id_dsa type -1
debug1: identity file /home/chflags/.ssh/id_dsa-cert type -1
debug1: identity file /home/chflags/.ssh/id_ecdsa type -1
debug1: identity file /home/chflags/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.4p1 FreeBSD-20100308
debug1: match: OpenSSH_5.4p1 FreeBSD-20100308 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 63:4c:3e:87:76:5a:d7:62:47:d7:74:60:84:72:10:03
debug1: Host '10.0.48.61' is known and matches the RSA host key.
debug1: Found key in /home/chflags/.ssh/known_hosts:22
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/chflags/.ssh/id_rsa
debug1: Trying private key: /home/chflags/.ssh/id_dsa
debug1: Trying private key: /home/chflags/.ssh/id_ecdsa
debug1: Next authentication method: keyboard-interactive
Password:

A quick and easy tip to display Chinese characters in console mode. This applies not only to FreeBSD, it does for Linux and some other *nix variants too.

This is what you get when dealing with Chinese characters in console mode with csh.

Just set up the environment LANG to zh_TW.UTF-8 with this command setenv LANG zh_TW.UTF-8.

Simple eh? Indeed. Making it permanently, edit /etc/csh.cshrc and put these in:-

setenv ENABLE_STARTUP_LOCALE zh_TW.UTF-8
setenv LC_CTYPE en_US.ISO10646-1
setenv LC_ALL zh_TW.UTF-8
setenv LANG zh_TW.UTF-8

For bash, you can just edit /etc/profile and instead of using setenv, you do it with export. i.e. export LANG=zh_TW.UTF-8.

Got myself unifi VIP20 since August. Quite satisfied with the performance. Here are some speedtests I have conducted with unifi 20Mbps.

Unifi <-> Singapore

Unifi <-> Jakarta

Unifi <-> Mumbai

Unifi <-> Bangkok

Unifi <-> Seoul

Unifi <-> Athen

Unifi <-> Doha

Unifi <-> Wellington

Unifi <-> Los Angeles

Unifi <-> Dallas

Unifi <-> New York

Put on sysadmin hat and upgraded some 6.2 freebsd boxes recently. Here are the steps that I used. Please take note that you should have a good backup before attempting this upgrade. You are WARNED!

old6# uname -a
FreeBSD old6.vnet.0rg 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri Jan 12 10:40:27 UTC 2007 root@dessler.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386

A rather aged machine without any update. Damn the lazy sysadmin:P

Now grab freebsd-update script from Colin Percival’s realm on people.freebsd.org and extract it. Note that you can’t use the default freebsd-update script in base as it does not have “-r” switch to upgrade your box to other -RELEASE.

old6# fetch http://people.freebsd.org/~cperciva/freebsd-update-upgrade.tgz
old6# tar xvfz freebsd-update-upgrade.tgz


Next, fire up the freebsd-update script to upgrade the system to 8.1-RELEASE. You would be prompted to upgrade your kernel first if you use other kernel than GENERIC or SMP. You need to build and install a 8.1 kernel manually before proceed with freebsd-update install. The upgrade script will also prompt you with bunch of questions on file merge. They are pretty much self-explanatory.

old6# ./freebsd-update.sh upgrade -f freebsd-update.conf -r 8.1-RELEASE
Looking up update.FreeBSD.org mirrors... 3 mirrors found.
Fetching public key from update4.FreeBSD.org... done.
Fetching metadata signature for 6.2-RELEASE from update4.FreeBSD.org... done.
Fetching metadata index... done.
Fetching 2 metadata files... done.
Inspecting system... done.

The following components of FreeBSD seem to be installed:
kernel/generic src/base src/bin src/contrib src/crypto src/etc src/games
src/gnu src/include src/krb5 src/lib src/libexec src/release src/rescue
src/sbin src/secure src/share src/sys src/tools src/ubin src/usbin
world/base world/catpages world/dict world/doc world/games world/info
world/manpages world/proflibs

The following components of FreeBSD do not seem to be installed:
kernel/smp


Does this look reasonable (y/n)? y


Fetching metadata signature for 8.1-RELEASE from update4.FreeBSD.org... done.
Fetching metadata index... done.
Fetching 1 metadata patches. done.
Applying metadata patches... done.
Fetching 1 metadata files... done.
Inspecting system... done.


Fetching files from 6.2-RELEASE for merging... done.
Preparing to download files... done.
Fetching 5294
patches.....10....20....30....40....50....60....70....80....90....100....110....120....130....140....150....160....170....180....190....200....210....220....230....240....250....260....270....280....290....300....310... done.
Applying patches... done.
Fetching 5416 files... done.
Attempting to automatically merge changes in files... done.


The following changes, which occurred between FreeBSD 6.2-RELEASE and
FreeBSD 8.1-RELEASE have been merged into /etc/group:
--- current version
+++ new version
@@ -1,6 +1,6 @@
-# $FreeBSD: src/etc/group,v 1.32.2.1 2006/03/06 22:23:10 rwatson Exp $
+# $FreeBSD: src/etc/group,v 1.35.10.1.4.1 2010/06/14 02:09:06 kensmith Exp $
#
wheel:*:0:root,chflags
daemon:*:1:
kmem:*:2:
sys:*:3:
@@ -9,10 +9,11 @@
mail:*:6:
bin:*:7:
news:*:8:
man:*:9:
games:*:13:
+ftp:*:14:
staff:*:20:
sshd:*:22:
smmsp:*:25:
mailnull:*:26:
guest:*:31:
Does this look reasonable (y/n)? y


The following changes, which occurred between FreeBSD 6.2-RELEASE and
FreeBSD 8.1-RELEASE have been merged into /etc/master.passwd:
--- current version
+++ new version
@@ -1,6 +1,6 @@
-# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $
+# $FreeBSD: src/etc/master.passwd,v 1.40.22.1.4.1 2010/06/14 02:09:06 kensmith Exp $
#
root:$1$4Jd7.6Nx$ogtqf2/1drgoAFlO0iXmb.:0:0::0:0:Charlie &:/root:/bin/csh
toor:*:0:0::0:0:Bourne-again Superuser:/root:
daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5::0:0:System &:/:/usr/sbin/nologin
Does this look reasonable (y/n)? y


The following changes, which occurred between FreeBSD 6.2-RELEASE and
FreeBSD 8.1-RELEASE have been merged into /etc/nsswitch.conf:
--- current version
+++ new version
@@ -1,7 +1,15 @@
+#
+# nsswitch.conf(5) - name service switch configuration file
+# $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.4.1 2010/06/14 02:09:06 kensmith Exp $
+#
group: compat
group_compat: nis
hosts: files dns
networks: files
passwd: compat
passwd_compat: nis
shells: files
+services: compat
+services_compat: nis
+protocols: files
+rpc: files
Does this look reasonable (y/n)? y

The following changes, which occurred between FreeBSD 6.2-RELEASE and
FreeBSD 8.1-RELEASE have been merged into /etc/passwd:
--- current version
+++ new version
@@ -1,6 +1,6 @@
-# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $
+# $FreeBSD: src/etc/master.passwd,v 1.40.22.1.4.1 2010/06/14 02:09:06 kensmith Exp $
#
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
Does this look reasonable (y/n)? y

The following files will be removed as part of updating to 8.1-RELEASE-p0:
/boot/kernel/ath_hal.ko
/boot/kernel/ath_rate.ko
/boot/kernel/bridge.ko
/boot/kernel/digi.ko
/boot/kernel/digi_CX.ko
/boot/kernel/digi_CX_PCI.ko
/boot/kernel/digi_EPCX.ko
/boot/kernel/digi_EPCX_PCI.ko
/boot/kernel/digi_Xe.ko
/boot/kernel/digi_Xem.ko
/boot/kernel/digi_Xr.ko
/boot/kernel/g_md.ko
/boot/kernel/geom_apple.ko
/boot/kernel/geom_gpt.ko

<— Long listing truncated —>


The following files will be added as part of updating to 8.1-RELEASE-p0:
/bin/pwait
/bin/uuidgen
/boot/firmware
/boot/gptboot
/boot/gptzfsboot
/boot/kernel/3dfx.ko.symbols
/boot/kernel/3dfx_linux.ko.symbols
/boot/kernel/aac.ko.symbols
/boot/kernel/aac_linux.ko.symbols
/boot/kernel/accf_data.ko.symbols
/boot/kernel/accf_dns.ko
/boot/kernel/accf_dns.ko.symbols
/boot/kernel/accf_http.ko.symbols
/boot/kernel/acpi.ko.symbols
/boot/kernel/acpi_aiboost.ko
/boot/kernel/acpi_aiboost.ko.symbols
/boot/kernel/acpi_asus.ko.symbols
/boot/kernel/acpi_dock.ko
/boot/kernel/acpi_dock.ko.symbols
/boot/kernel/acpi_fujitsu.ko.symbols
/boot/kernel/acpi_hp.ko
/boot/kernel/acpi_hp.ko.symbols
/boot/kernel/acpi_ibm.ko.symbols
/boot/kernel/acpi_panasonic.ko.symbols
/boot/kernel/acpi_sony.ko.symbols
/boot/kernel/acpi_toshiba.ko.symbols
/boot/kernel/acpi_video.ko.symbols
/boot/kernel/acpi_wmi.ko
/boot/kernel/acpi_wmi.ko.symbols

The following files will be updated as part of updating to 8.1-RELEASE-p0:
/.cshrc
/.profile
/COPYRIGHT
/bin/[
/bin/cat
/bin/chflags
/bin/chio
/bin/chmod
/bin/cp
/bin/csh
/bin/date
/bin/dd
/bin/df
/bin/domainname
/bin/echo
/bin/ed
/bin/expr
/bin/getfacl
/bin/hostname
/bin/kenv
/bin/kill
/bin/link
/bin/ln
/bin/ls
/bin/mkdir
/bin/mv
/bin/pax
/bin/pgrep
/bin/pkill


At this point, you already have all the upgrade files ready. Time to roll. Please note that if you are running own custom kernel on 6.2-RELEASE, you should have your custom 8.1 kernel install before attempting this step if. In my attempt, sshd could not be started after reboot as the base is not in sync with the new kernel. Thus, remote binary upgrade from 6.2 to 8.1 seems not possible. Let me know if you experience otherwise or have better method dealing with remote upgrade.

old6# ./freebsd-update.sh -f freebsd-update.conf install
Installing updates...
Kernel updates have been installed. Please reboot and run
"./freebsd-update.sh install" again to finish installing updates.
old6# reboot

The uname shows spanking new 8.1-RELEASE kernel.


old6# uname -a
FreeBSD old6.vnet.0rg 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:55:53 UTC 2010 root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386


New base will be installed in this step. Reboot and you have newly upgraded 8.1-RELEASE FreeBSD.

old6# ./freebsd-update.sh -f freebsd-update.conf install
Installing updates... done.


PORTS
As this is a major upgrade, all ports are recommended to be recompiled. You could use compat6x (misc/compat6x) to minimise downtime if you have many services running on the box.

I made a career move to one of the Telcos in Malaysia. During this transition period, I was busy with documentations/handover stuff. Hex project was kinda stalled and blog was not updated. Hopefully, I can spare some time for project and blog as I was currently busy with IDS deployment project.

Stay tuned!

Go hit by buggy network manager on OpenSuSE 11.3 turned disabled after waking up from suspend/hibernate.

Simple workarounds to get network manager working again (Use any of these) :-


# qdbus --system org.freedesktop.NetworkManager /org/freedesktop/NetworkManager wake



# nm-online



# rm /var/lib/NetworkManager/NetworkManager.state && rcnetwork restart


This resume bug is marked fixed. However it is not available in update repo yet.

This is really old old old old stuff. But it still seems popular these days. Lots of script kiddies are out there I guess. My auth.log was harassed, flooded with ssh brute-force attacks.

Oct  1 10:13:50 sapphire sshd[43770]: Did not receive identification string from 202.150.213.94
Oct  1 12:40:35 sapphire sshd[45755]: Did not receive identification string from 212.122.224.24
Oct  1 20:15:14 sapphire sshd[51438]: Did not receive identification string from 219.239.17.98
Oct  1 20:19:08 sapphire sshd[51504]: User root from 219.239.17.98 not allowed because not listed in AllowUsers
Oct  1 20:19:11 sapphire sshd[51507]: User root from 219.239.17.98 not allowed because not listed in AllowUsers
Oct  1 20:19:16 sapphire sshd[51509]: User root from 219.239.17.98 not allowed because not listed in AllowUsers
Oct  1 20:19:24 sapphire sshd[51511]: Invalid user oper from 219.239.17.98
Oct  1 20:19:51 sapphire sshd[51513]: Did not receive identification string from 219.239.17.98
Oct  1 21:18:01 sapphire sshd[52675]: Did not receive identification string from 202.57.41.60
Oct  1 23:10:09 sapphire sshd[53993]: User root from 220.225.237.146 not allowed because not listed in AllowUsers
Oct  1 23:10:11 sapphire sshd[53995]: User root from 220.225.237.146 not allowed because not listed in AllowUsers
Oct  1 23:10:15 sapphire sshd[53997]: User root from 220.225.237.146 not allowed because not listed in AllowUsers
Oct  1 23:10:21 sapphire sshd[53999]: User root from 220.225.237.146 not allowed because not listed in AllowUsers
Oct  1 23:10:24 sapphire sshd[54001]: User root from 220.225.237.146 not allowed because not listed in AllowUsers
Oct  2 00:17:12 sapphire sshd[54918]: Did not receive identification string from 202.57.41.60
Oct  2 02:03:01 sapphire sshd[56453]: Did not receive identification string from 190.12.66.77
Oct  2 02:06:39 sapphire sshd[56484]: User root from 190.12.66.77 not allowed because not listed in AllowUsers
Oct  2 02:06:41 sapphire sshd[56486]: User root from 190.12.66.77 not allowed because not listed in AllowUsers
Oct  2 02:06:44 sapphire sshd[56488]: User root from 190.12.66.77 not allowed because not listed in AllowUsers
Oct  2 02:06:47 sapphire sshd[56490]: User root from 190.12.66.77 not allowed because not listed in AllowUsers
Oct  3 00:10:44 sapphire sshd[73858]: Did not receive identification string from 82.138.1.46
Oct  3 00:14:10 sapphire sshd[73974]: Invalid user admin from 82.138.1.46
Oct  3 00:14:14 sapphire sshd[73976]: User root from 82.138.1.46 not allowed because not listed in AllowUsers
Oct  3 00:14:17 sapphire sshd[73978]: Invalid user stud from 82.138.1.46
Oct  3 00:14:20 sapphire sshd[73980]: Invalid user trash from 82.138.1.46
Oct  3 00:57:23 sapphire sshd[74952]: Did not receive identification string from 85.46.29.147
Oct  3 01:06:54 sapphire sshd[75084]: User root from 85.46.29.147 not allowed because not listed in AllowUsers
Oct  3 01:06:57 sapphire sshd[75086]: User root from 85.46.29.147 not allowed because not listed in AllowUsers
Oct  3 01:07:00 sapphire sshd[75088]: User root from 85.46.29.147 not allowed because not listed in AllowUsers
Oct  3 01:07:04 sapphire sshd[75090]: User root from 85.46.29.147 not allowed because not listed in AllowUsers
Oct  3 01:07:07 sapphire sshd[75092]: User root from 85.46.29.147 not allowed because not listed in AllowUsers
Oct  3 09:33:55 sapphire sshd[83042]: Did not receive identification string from 200.46.247.78
Oct  3 10:13:44 sapphire sshd[83372]: Invalid user staff from 200.46.247.78
Oct  3 10:13:47 sapphire sshd[83374]: Invalid user sales from 200.46.247.78
Oct  3 10:13:49 sapphire sshd[83376]: Invalid user recruit from 200.46.247.78
Oct  3 10:13:52 sapphire sshd[83378]: Invalid user alias from 200.46.247.78
Oct  3 10:13:54 sapphire sshd[83380]: Invalid user office from 200.46.247.78
Oct  4 01:26:40 sapphire sshd[95219]: Invalid user oracle from 60.217.229.222
Oct  4 01:26:43 sapphire sshd[95221]: Invalid user oracle from 60.217.229.222
Oct  4 01:26:46 sapphire sshd[95223]: Invalid user oracle from 60.217.229.222
Oct  4 01:26:50 sapphire sshd[95225]: Invalid user oracle from 60.217.229.222
Oct  4 02:13:46 sapphire sshd[95625]: User root from 61.78.70.53 not allowed because not listed in AllowUsers
Oct  4 02:13:49 sapphire sshd[95627]: User root from 61.78.70.53 not allowed because not listed in AllowUsers
Oct  4 02:13:52 sapphire sshd[95629]: User root from 61.78.70.53 not allowed because not listed in AllowUsers
Oct  4 02:13:54 sapphire sshd[95631]: User root from 61.78.70.53 not allowed because not listed in AllowUsers
Oct  4 02:13:57 sapphire sshd[95633]: User root from 61.78.70.53 not allowed because not listed in AllowUsers
Oct  4 02:14:02 sapphire sshd[95635]: User root from 61.78.70.53 not allowed because not listed in AllowUsers
Oct  4 08:02:10 sapphire sshd[1258]: Did not receive identification string from 203.116.18.173
Oct  4 12:11:38 sapphire sshd[4353]: User root from 218.74.116.19 not allowed because not listed in AllowUsers
Oct  4 12:11:40 sapphire sshd[4355]: User root from 218.74.116.19 not allowed because not listed in AllowUsers
Oct  4 12:11:42 sapphire sshd[4357]: User root from 218.74.116.19 not allowed because not listed in AllowUsers
Oct  4 12:11:44 sapphire sshd[4359]: User root from 218.74.116.19 not allowed because not listed in AllowUsers
Oct  4 12:11:46 sapphire sshd[4361]: User root from 218.74.116.19 not allowed because not listed in AllowUsers
Oct  4 12:47:16 sapphire sshd[5153]: Did not receive identification string from 221.231.150.248
Oct  4 13:51:05 sapphire sshd[5837]: User root from 221.231.150.248 not allowed because not listed in AllowUsers
Oct  4 13:51:07 sapphire sshd[5839]: User root from 221.231.150.248 not allowed because not listed in AllowUsers
Oct  4 13:51:08 sapphire sshd[5841]: Invalid user admin from 221.231.150.248
Oct  4 13:51:10 sapphire sshd[5843]: Invalid user admin from 221.231.150.248
Oct  4 13:51:12 sapphire sshd[5845]: Invalid user test from 221.231.150.248
Oct  4 16:48:13 sapphire sshd[8049]: User root from 58.216.151.131 not allowed because not listed in AllowUsers
Oct  4 16:48:16 sapphire sshd[8051]: User root from 58.216.151.131 not allowed because not listed in AllowUsers
Oct  4 16:48:18 sapphire sshd[8053]: User root from 58.216.151.131 not allowed because not listed in AllowUsers
Oct  4 16:48:22 sapphire sshd[8055]: User root from 58.216.151.131 not allowed because not listed in AllowUsers
Oct  4 16:48:25 sapphire sshd[8057]: User root from 58.216.151.131 not allowed because not listed in AllowUsers
Oct  4 17:56:38 sapphire sshd[8788]: Invalid user test from 60.191.2.228
Oct  4 17:56:40 sapphire sshd[8790]: Invalid user test1 from 60.191.2.228
Oct  4 17:56:42 sapphire sshd[8792]: Invalid user ftp from 60.191.2.228
Oct  4 17:56:44 sapphire sshd[8794]: Invalid user oracle from 60.191.2.228
Oct  4 17:56:46 sapphire sshd[8796]: Invalid user nagios from 60.191.2.228
Oct  4 21:30:16 sapphire sshd[11427]: Did not receive identification string from 202.6.230.10
Oct  4 21:34:15 sapphire sshd[11484]: User root from 202.6.230.10 not allowed because not listed in AllowUsers
Oct  4 22:24:12 sapphire sshd[11892]: Did not receive identification string from 118.97.7.82
Oct  4 22:42:39 sapphire sshd[12004]: Invalid user webmaster from 118.97.7.82
Oct  4 22:42:41 sapphire sshd[12006]: User root from 118.97.7.82 not allowed because not listed in AllowUsers
Oct  4 22:42:43 sapphire sshd[12008]: Invalid user ftp from 118.97.7.82
Oct  4 22:42:45 sapphire sshd[12010]: Invalid user sales from 118.97.7.82
Oct  4 22:42:47 sapphire sshd[12012]: Invalid user admin from 118.97.7.82
Oct  5 07:11:07 sapphire sshd[19909]: User root from 207.182.128.170 not allowed because not listed in AllowUsers
Oct  5 07:11:09 sapphire sshd[19911]: User root from 207.182.128.170 not allowed because not listed in AllowUsers
Oct  5 07:11:11 sapphire sshd[19913]: User root from 207.182.128.170 not allowed because not listed in AllowUsers
Oct  5 07:11:13 sapphire sshd[19915]: User root from 207.182.128.170 not allowed because not listed in AllowUsers
Oct  5 07:11:15 sapphire sshd[19917]: User root from 207.182.128.170 not allowed because not listed in AllowUsers
Oct  5 11:55:16 sapphire sshd[23196]: User root from 222.186.23.134 not allowed because not listed in AllowUsers
Oct  5 11:55:18 sapphire sshd[23198]: User root from 222.186.23.134 not allowed because not listed in AllowUsers
Oct  5 11:55:20 sapphire sshd[23200]: User root from 222.186.23.134 not allowed because not listed in AllowUsers
Oct  5 11:55:22 sapphire sshd[23202]: Invalid user roo from 222.186.23.134
Oct  5 11:55:24 sapphire sshd[23204]: User root from 222.186.23.134 not allowed because not listed in AllowUsers
Oct  6 06:51:49 sapphire sshd[38994]: Did not receive identification string from 202.57.41.60
Oct  6 13:20:18 sapphire sshd[44247]: Invalid user sato from 58.180.45.71
Oct  6 13:20:21 sapphire sshd[44249]: Invalid user suzuki from 58.180.45.71
Oct  6 13:20:28 sapphire sshd[44252]: Invalid user takahashi from 58.180.45.71
Oct  6 13:20:30 sapphire sshd[44254]: Invalid user tanaka from 58.180.45.71
Oct  6 13:20:35 sapphire sshd[44256]: Invalid user watanabe from 58.180.45.71
Oct  6 15:36:53 sapphire sshd[45503]: Did not receive identification string from 211.140.3.214
Oct  6 15:40:25 sapphire sshd[45521]: User root from 211.140.3.214 not allowed because not listed in AllowUsers
Oct  6 15:40:27 sapphire sshd[45523]: User root from 211.140.3.214 not allowed because not listed in AllowUsers
Oct  6 15:40:30 sapphire sshd[45525]: User root from 211.140.3.214 not allowed because not listed in AllowUsers
Oct  6 15:40:31 sapphire sshd[45527]: User root from 211.140.3.214 not allowed because not listed in AllowUsers
Oct  6 16:13:46 sapphire sshd[46124]: Did not receive identification string from 69.64.93.42
Oct  6 16:16:55 sapphire sshd[46185]: Did not receive identification string from 86.65.178.42
Oct  6 16:18:10 sapphire sshd[46218]: User root from 69.64.93.42 not allowed because not listed in AllowUsers
Oct  6 16:18:12 sapphire sshd[46220]: Invalid user PlcmSpIp from 69.64.93.42
Oct  6 16:18:14 sapphire sshd[46222]: Invalid user PlcmSpIp from 69.64.93.42
Oct  6 16:18:16 sapphire sshd[46224]: Invalid user PlcmSpIp from 69.64.93.42
Oct  6 16:20:38 sapphire sshd[46271]: User root from 86.65.178.42 not allowed because not listed in AllowUsers
Oct  6 16:20:41 sapphire sshd[46273]: Invalid user fluffy from 86.65.178.42
Oct  6 16:20:44 sapphire sshd[46275]: Invalid user admin from 86.65.178.42
Oct  6 16:20:46 sapphire sshd[46277]: Invalid user test from 86.65.178.42
Oct  6 18:27:52 sapphire sshd[13423]: Did not receive identification string from 222.236.47.48
Oct  6 18:31:39 sapphire sshd[16400]: Invalid user eaguilar from 222.236.47.48
Oct  6 18:31:42 sapphire sshd[16402]: User root from 222.236.47.48 not allowed because not listed in AllowUsers
Oct  6 18:31:45 sapphire sshd[16404]: Invalid user payala from 222.236.47.48
Oct  6 18:31:48 sapphire sshd[16406]: Invalid user estudiante from 222.236.47.48
Oct  6 19:54:42 sapphire sshd[17055]: Invalid user jian from 78.129.203.130
Oct  6 19:54:44 sapphire sshd[17057]: Invalid user jasonbc from 78.129.203.130
Oct  6 19:54:47 sapphire sshd[17059]: Invalid user sua from 78.129.203.130
Oct  6 19:54:50 sapphire sshd[17061]: Invalid user bernie from 78.129.203.130
Oct  6 19:54:53 sapphire sshd[17063]: Invalid user bernie from 78.129.203.130
Oct  6 20:24:26 sapphire sshd[17756]: User root from 218.87.32.224 not allowed because not listed in AllowUsers
Oct  6 20:24:28 sapphire sshd[17758]: Invalid user smtp from 218.87.32.224
Oct  6 20:24:30 sapphire sshd[17760]: Invalid user smtp from 218.87.32.224
Oct  6 20:24:33 sapphire sshd[17762]: Invalid user smtp from 218.87.32.224
Oct  6 20:24:35 sapphire sshd[17764]: User root from 218.87.32.224 not allowed because not listed in AllowUsers
Oct  6 21:15:42 sapphire sshd[18754]: User root from 216.75.8.84 not allowed because not listed in AllowUsers
Oct  6 21:15:44 sapphire sshd[18756]: User root from 216.75.8.84 not allowed because not listed in AllowUsers
Oct  6 21:15:45 sapphire sshd[18758]: User root from 216.75.8.84 not allowed because not listed in AllowUsers
Oct  6 21:15:47 sapphire sshd[18760]: User root from 216.75.8.84 not allowed because not listed in AllowUsers
Oct  6 21:15:48 sapphire sshd[18762]: User root from 216.75.8.84 not allowed because not listed in AllowUsers
Oct  6 23:47:47 sapphire sshd[20034]: User root from 59.167.240.72 not allowed because not listed in AllowUsers
Oct  6 23:47:49 sapphire sshd[20036]: User root from 59.167.240.72 not allowed because not listed in AllowUsers
Oct  6 23:47:52 sapphire sshd[20038]: User root from 59.167.240.72 not allowed because not listed in AllowUsers
Oct  6 23:47:54 sapphire sshd[20040]: User root from 59.167.240.72 not allowed because not listed in AllowUsers
Oct  6 23:47:56 sapphire sshd[20042]: User root from 59.167.240.72 not allowed because not listed in AllowUsers
Oct  7 00:03:48 sapphire sshd[20335]: Invalid user test from 60.31.110.17
Oct  7 00:03:51 sapphire sshd[20337]: Invalid user test1 from 60.31.110.17
Oct  7 00:03:55 sapphire sshd[20339]: Invalid user oracle from 60.31.110.17
Oct  7 00:03:58 sapphire sshd[20341]: Invalid user nagios from 60.31.110.17
Oct  7 00:04:02 sapphire sshd[20343]: User root from 60.31.110.17 not allowed because not listed in AllowUsers
Oct  7 03:20:50 sapphire sshd[24533]: Did not receive identification string from 212.25.36.95
Oct  7 03:43:50 sapphire sshd[24691]: User root from 212.25.36.95 not allowed because not listed in AllowUsers
Oct  7 03:43:53 sapphire sshd[24693]: Invalid user delta from 212.25.36.95
Oct  7 03:43:56 sapphire sshd[24695]: Invalid user admin from 212.25.36.95
Oct  7 03:43:59 sapphire sshd[24697]: Invalid user test from 212.25.36.95
Oct  7 03:44:03 sapphire sshd[24725]: Invalid user testing from 212.25.36.95
Oct  7 10:03:11 sapphire sshd[29896]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 10:03:15 sapphire sshd[29898]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 10:03:19 sapphire sshd[29900]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 10:03:22 sapphire sshd[29902]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 10:03:26 sapphire sshd[29904]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 10:03:37 sapphire sshd[29910]: Did not receive identification string from 203.92.35.148
Oct  7 11:02:52 sapphire sshd[1850]: Received signal 15; terminating.
Oct  7 11:07:43 sapphire sshd[1895]: Server listening on 202.190.74.44 port 22.
Oct  7 11:07:44 sapphire sshd[1983]: Did not receive identification string from 12.47.107.4
Oct  7 11:07:44 sapphire sshd[1984]: Did not receive identification string from 12.47.107.4
Oct  7 11:07:45 sapphire sshd[1985]: Did not receive identification string from 12.47.107.4
Oct  7 11:07:46 sapphire sshd[1991]: Did not receive identification string from 12.47.107.4
Oct  7 11:07:48 sapphire sshd[1994]: Did not receive identification string from 12.47.107.4
Oct  7 11:07:58 sapphire sshd[1997]: Did not receive identification string from 12.47.107.4
Oct  7 11:16:52 sapphire sshd[47265]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 11:16:52 sapphire sshd[47266]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 11:16:56 sapphire sshd[47534]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 11:16:56 sapphire sshd[47574]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 11:17:01 sapphire sshd[48389]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 11:17:03 sapphire sshd[48481]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 12:07:15 sapphire sshd[1994]: Did not receive identification string from 12.47.107.4
Oct  7 12:07:16 sapphire sshd[2001]: Did not receive identification string from 12.47.107.4
Oct  7 12:07:16 sapphire sshd[2002]: Did not receive identification string from 12.47.107.4
Oct  7 12:07:17 sapphire sshd[2004]: Did not receive identification string from 12.47.107.4
Oct  7 12:07:17 sapphire sshd[2005]: Did not receive identification string from 12.47.107.4
Oct  7 12:07:29 sapphire sshd[2016]: Did not receive identification string from 12.47.107.4
Oct  7 15:17:22 sapphire sshd[4376]: Did not receive identification string from 202.166.200.106
Oct  7 15:20:50 sapphire sshd[4389]: User root from 122.224.69.38 not allowed because not listed in AllowUsers
Oct  7 15:20:52 sapphire sshd[4391]: User root from 122.224.69.38 not allowed because not listed in AllowUsers
Oct  7 15:20:54 sapphire sshd[4393]: User root from 122.224.69.38 not allowed because not listed in AllowUsers
Oct  7 15:20:55 sapphire sshd[4395]: User root from 122.224.69.38 not allowed because not listed in AllowUsers
Oct  7 15:20:57 sapphire sshd[4397]: User root from 122.224.69.38 not allowed because not listed in AllowUsers
Oct  7 15:21:06 sapphire sshd[4399]: User root from 202.166.200.106 not allowed because not listed in AllowUsers
Oct  7 15:21:11 sapphire sshd[4403]: Invalid user fluffy from 202.166.200.106
Oct  7 15:21:15 sapphire sshd[4405]: Invalid user admin from 202.166.200.106
Oct  7 15:21:22 sapphire sshd[4407]: Invalid user test from 202.166.200.106
Oct  7 19:34:59 sapphire sshd[7443]: Did not receive identification string from 203.116.18.173
Oct  8 03:52:42 sapphire sshd[15291]: Invalid user svn from 91.199.58.35
Oct  8 03:52:45 sapphire sshd[15293]: Invalid user postgres from 91.199.58.35
Oct  8 03:52:48 sapphire sshd[15295]: Invalid user user1 from 91.199.58.35
Oct  8 03:52:51 sapphire sshd[15297]: Invalid user testuser from 91.199.58.35
Oct  8 03:52:54 sapphire sshd[15299]: Invalid user test1 from 91.199.58.35
Oct  8 03:54:40 sapphire sshd[15301]: Invalid user svn from 91.199.58.35
Oct  8 08:34:29 sapphire sshd[19138]: User root from 203.116.198.165 not allowed because not listed in AllowUsers
Oct  8 08:34:30 sapphire sshd[19140]: User root from 203.116.198.165 not allowed because not listed in AllowUsers
Oct  8 08:34:32 sapphire sshd[19142]: User root from 203.116.198.165 not allowed because not listed in AllowUsers
Oct  8 08:34:34 sapphire sshd[19144]: User root from 203.116.198.165 not allowed because not listed in AllowUsers
Oct  8 08:34:35 sapphire sshd[19146]: User root from 203.116.198.165 not allowed because not listed in AllowUsers
Oct  8 11:50:51 sapphire sshd[21363]: Did not receive identification string from 174.34.129.66
Oct  8 12:37:50 sapphire sshd[22406]: Did not receive identification string from 202.116.0.145
Oct  8 13:14:26 sapphire sshd[23089]: Did not receive identification string from 190.24.138.77
Oct  8 13:45:43 sapphire sshd[23380]: Invalid user rfmngr from 190.24.138.77
Oct  8 13:45:46 sapphire sshd[23382]: Invalid user sales from 190.24.138.77
Oct  8 13:45:48 sapphire sshd[23384]: Invalid user recruit from 190.24.138.77
Oct  8 13:45:51 sapphire sshd[23386]: Invalid user alias from 190.24.138.77
Oct  8 13:45:53 sapphire sshd[23388]: Invalid user office from 190.24.138.77
Oct  8 14:38:56 sapphire sshd[23829]: Did not receive identification string from 218.246.196.3
Oct  8 14:52:25 sapphire sshd[23923]: User root from 218.246.196.3 not allowed because not listed in AllowUsers
Oct  8 14:52:28 sapphire sshd[23925]: User root from 218.246.196.3 not allowed because not listed in AllowUsers
Oct  8 14:52:30 sapphire sshd[23927]: User root from 218.246.196.3 not allowed because not listed in AllowUsers
Oct  8 14:52:32 sapphire sshd[23929]: User root from 218.246.196.3 not allowed because not listed in AllowUsers
Oct  8 14:52:35 sapphire sshd[23931]: User root from 218.246.196.3 not allowed because not listed in AllowUsers
Oct  8 15:59:31 sapphire sshd[24563]: Did not receive identification string from 210.109.48.22
Oct  8 18:13:25 sapphire sshd[26863]: Did not receive identification string from 59.41.254.83
Oct  8 20:13:02 sapphire sshd[28089]: Did not receive identification string from 203.65.162.165
Oct  8 22:39:07 sapphire sshd[30127]: User root from 122.160.240.133 not allowed because not listed in AllowUsers
Oct  8 22:39:09 sapphire sshd[30129]: User root from 122.160.240.133 not allowed because not listed in AllowUsers
Oct  8 22:39:10 sapphire sshd[30131]: User root from 122.160.240.133 not allowed because not listed in AllowUsers
Oct  8 22:39:11 sapphire sshd[30133]: User root from 122.160.240.133 not allowed because not listed in AllowUsers
Oct  8 22:39:12 sapphire sshd[30135]: User root from 122.160.240.133 not allowed because not listed in AllowUsers
Oct  9 01:33:45 sapphire sshd[32583]: Did not receive identification string from 203.200.81.104
Oct  9 02:19:08 sapphire sshd[32934]: User root from 203.200.81.104 not allowed because not listed in AllowUsers
Oct  9 02:19:12 sapphire sshd[32936]: User root from 203.200.81.104 not allowed because not listed in AllowUsers
Oct  9 02:19:16 sapphire sshd[32938]: Invalid user apple from 203.200.81.104
Oct  9 02:19:20 sapphire sshd[32940]: User root from 203.200.81.104 not allowed because not listed in AllowUsers
Oct  9 02:19:24 sapphire sshd[32942]: Invalid user brian from 203.200.81.104
Oct  9 02:51:05 sapphire sshd[33191]: User root from 122.200.82.181 not allowed because not listed in AllowUsers
Oct  9 02:51:09 sapphire sshd[33193]: User root from 122.200.82.181 not allowed because not listed in AllowUsers
Oct  9 02:51:12 sapphire sshd[33195]: User root from 122.200.82.181 not allowed because not listed in AllowUsers
Oct  9 02:51:15 sapphire sshd[33197]: User root from 122.200.82.181 not allowed because not listed in AllowUsers
Oct  9 02:51:19 sapphire sshd[33199]: User root from 122.200.82.181 not allowed because not listed in AllowUsers
Oct  9 06:00:49 sapphire sshd[37450]: Did not receive identification string from 219.234.93.101
Oct  9 06:09:47 sapphire sshd[37465]: Invalid user mary from 219.234.93.101
Oct  9 06:09:49 sapphire sshd[37467]: Invalid user mary from 219.234.93.101
Oct  9 06:09:51 sapphire sshd[37469]: Invalid user mary from 219.234.93.101
Oct  9 06:09:53 sapphire sshd[37471]: Invalid user mary from 219.234.93.101
Oct  9 06:09:55 sapphire sshd[37473]: Invalid user mary from 219.234.93.101
Oct  9 06:51:00 sapphire sshd[37807]: User root from 200.35.146.176 not allowed because not listed in AllowUsers
Oct  9 06:51:02 sapphire sshd[37809]: User root from 200.35.146.176 not allowed because not listed in AllowUsers
Oct  9 06:51:04 sapphire sshd[37811]: User root from 200.35.146.176 not allowed because not listed in AllowUsers
Oct  9 06:51:07 sapphire sshd[37813]: User root from 200.35.146.176 not allowed because not listed in AllowUsers
Oct  9 06:51:09 sapphire sshd[37815]: User root from 200.35.146.176 not allowed because not listed in AllowUsers
Oct  9 12:10:08 sapphire sshd[41569]: Did not receive identification string from 60.54.54.62
Oct  9 12:23:01 sapphire sshd[41878]: User root from 60.54.54.62 not allowed because not listed in AllowUsers
Oct  9 12:23:04 sapphire sshd[41895]: Invalid user admin from 60.54.54.62
Oct  9 12:23:10 sapphire sshd[41897]: Invalid user test from 60.54.54.62
Oct  9 12:23:12 sapphire sshd[41899]: User root from 60.54.54.62 not allowed because not listed in AllowUsers
Oct  9 12:23:14 sapphire sshd[41901]: Invalid user ghost from 60.54.54.62

Just to share the method I have been using for years. There are many ssh brute-force attack prevention tools out there to choose from. But I still prefer simple way by using PF and ssh pubkey for ssh access. With PF, it is just simple 3 line of rules to keep the kiddos out.

table <badguy> persist
block in quick on $ext_if from <badguy> to ($ext_if) port 22
pass  in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 \
 keep state(max-src-conn 6, max-src-conn-rate 5/300, overload <badguy> flush global)

* Explanation on pf rules:-

Line #1 – Create pf table <badguy>

Line #2 – block connection attempt from hosts in table <badguy> to port 22

Line #3 – Allow connection to port 22, limiting src to 6 at a rate of 5 within 300s. Place offending host IP to <badguy> table.
max-src-conn – maximum number of simultaneous TCP connections which have completed the 3-way handshake that a single host can make
max-src-conn-rate – Limit the rate of new connections to a certain amount per time interval. In this example 5 connections within 300 seconds
overload <badguy> – Put an offending host’s IP address into the “badguy” table.
flush global – Kill all states matching this source IP.

From the auth.log, you probably noticed that max of 5 attempts for same connection and they are gone. That is how effective PF is. You can look up the OpenBSD PF FAQ for more information on the syntax.

pfctl is nifty for displaying bad guys in table <badguy>.
# pfctl -T show -t badguy

   12.47.107.4
   60.54.54.62
   91.199.58.35
   122.160.240.133
   122.200.82.181
   122.224.69.38
   190.24.138.77
   200.35.146.176
   202.166.200.106
   203.116.198.165
   203.200.81.104
   218.246.196.3
   219.234.93.101

False alarm? pfctl is still handy. Just remove the IP address from the table.

# pfctl -T delete -t badguy 219.234.93.101


From logging (with passive OS detection), it showed that 100% hosts that have been brute-forcing are running Linux. I’m seriously considering placing this line in pf.conf and the world will be peaceful place.

block in quick on $ext_if from any os "Linux" to ($ext_if) port 22