From owner-freebsd-security@FreeBSD.ORG  Sun Sep 19 01:50:21 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8D4F916A4D7
	for <freebsd-security@freebsd.org>;
	Sun, 19 Sep 2004 01:50:21 +0000 (GMT)
Received: from mail20.syd.optusnet.com.au (mail20.syd.optusnet.com.au
	[211.29.132.201])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C259F43D54
	for <freebsd-security@freebsd.org>;
	Sun, 19 Sep 2004 01:50:20 +0000 (GMT)
	(envelope-from fbsd-security@mawer.org)
Received: from c211-30-90-140.belrs3.nsw.optusnet.com.au
	(c211-30-90-140.belrs3.nsw.optusnet.com.au [211.30.90.140])
	i8J1oJjc014448
	for <freebsd-security@freebsd.org>; Sun, 19 Sep 2004 11:50:19 +1000
Received: (qmail 79956 invoked from network); 19 Sep 2004 01:50:19 -0000
Received: from unknown (HELO ?10.1.1.1?) (unknown)
  by unknown with SMTP; 19 Sep 2004 01:50:19 -0000
Message-ID: <414CE5E8.6000103@mawer.org>
Date: Sun, 19 Sep 2004 11:50:32 +1000
From: Antony Mawer <fbsd-security@mawer.org>
User-Agent: Mozilla Thunderbird 0.8 (Windows/20040905-pigfoot)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Chris Ryan <chrisryanemail@yahoo.com.au>
References: <20040918142955.61586.qmail@web51007.mail.yahoo.com>
In-Reply-To: <20040918142955.61586.qmail@web51007.mail.yahoo.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
cc: Frankye - ML <listsucker@ipv5.net>
cc: freebsd-security@freebsd.org
Subject: Re: Attacks on ssh port
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Sep 2004 01:50:21 -0000

Chris Ryan wrote:
> protection - with the appropriate active firewall that
> blocks their IP address after x failed attempts
> permanently....

Has anyone found any good scripts or utilities for automating this kind 
of thing? I too have been subject to these probings, and my initial 
thought was to firewall off any address after any number of incorrect 
attempts.

While I could write a script to parse the ipfilter logs, I didn't want 
to go re-inventing the wheel for something which I was sure someone 
would have already attempted.

Anyone have any suggestions?

Cheers
Antony