From owner-freebsd-questions@FreeBSD.ORG Wed Apr 12 03:33:41 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C9F2816A401 for ; Wed, 12 Apr 2006 03:33:41 +0000 (UTC) (envelope-from adam@thegeeklord.com) Received: from spunkymail-a13.dreamhost.com (mailbigip.dreamhost.com [208.97.132.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8BD2E43D45 for ; Wed, 12 Apr 2006 03:33:41 +0000 (GMT) (envelope-from adam@thegeeklord.com) Received: from [192.168.0.10] (c-24-34-72-209.hsd1.ma.comcast.net [24.34.72.209]) by spunkymail-a13.dreamhost.com (Postfix) with ESMTP id 279A9129AE6; Tue, 11 Apr 2006 20:33:38 -0700 (PDT) Message-ID: <443C74F9.4050404@thegeeklord.com> Date: Tue, 11 Apr 2006 23:33:13 -0400 From: Adam Stroud User-Agent: Thunderbird 1.5 (X11/20060406) MIME-Version: 1.0 To: Jonathan Franks References: <441C45BA.1030106@chrismaness.com> <894280FF-CB83-4EEA-9CAD-422A34068354@taconic.net> In-Reply-To: <894280FF-CB83-4EEA-9CAD-422A34068354@taconic.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Chris Maness , freebsd-questions@freebsd.org Subject: Re: How to Stop Bruit Force ssh Attempts? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Apr 2006 03:33:41 -0000 I second that. I have been doing the same thing (except running an OpenBSD firewall that blocks the offenders via pf) and it works like a charm. A Jonathan Franks wrote: > > On Mar 18, 2006, at 12:39 PM, Chris Maness wrote: > >> In my auth log I see alot of bruit force attempts to login via ssh. >> Is there a way I can have the box automatically kill any tcp/ip >> connectivity to hosts that try and fail a given number of times? Is >> there a port or something that I can install to give this kind of >> protection. I'm still kind of a FreeBSD newbie. > > If you are using PF, you can use source tracking to drop the offenders > in to a table... perhaps after a certain number of attempts in a given > time (say, 5 in a minute). Once you have the table you're in > business... you can block based on it... and then set up a cron job to > copy the table to disk every so often (perhaps once every two > minutes). It works very well for me, YMMV. > > If you don't want to block permanently, you could use cron to flush > the table every so often too... I don't bother though. > > -Jonathan > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org"