Quick Note: sshblack updates for OSX 10.6 and China

If you’ve got sshd (or anything else) running on your computer that is open to the internet, i recommend installing some extra security measures to help ensure you don’t get hacked. I’m not going to go into all those details right now, but i recommend setting up sshblack which will watch your logs and blacklist multiple attempts to break into your system.  I’ve got sshblack running on OSX (basic Mac config instructions here), and since i recently updated to Snow Leopard, I had noticed some extra network activity.   After checking my logs, I could tell that someone bad in China was trying to brute force their way in to my machine with a list of random user names. (Obviously you should disable ssh access for all common usernames like root.)

So after reading the logs, it turns out that the ssh error messages have changed in 10.6, so you need to update your sshblack to look for these new errors. Or maybe this is just a new type of attack, but it did coincide with my Snow Leopard update. Regardless, I had to add “Invalid user” to my sshblack.pl :

my($REASONS) = '(Failed password|Failed none|Invalid user )';

And then just restart your sshblack.  So there you go, my system is now back to blocking China.  I guess Michael Scott was right.