From owner-freebsd-questions@FreeBSD.ORG Wed Apr 12 04:27:42 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D99C416A402 for ; Wed, 12 Apr 2006 04:27:42 +0000 (UTC) (envelope-from cruzweb@gmail.com) Received: from sccrmhc12.comcast.net (sccrmhc12.comcast.net [63.240.77.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 36FD343D48 for ; Wed, 12 Apr 2006 04:27:42 +0000 (GMT) (envelope-from cruzweb@gmail.com) Received: from [192.168.42.11] (c-68-61-214-252.hsd1.mi.comcast.net[68.61.214.252]) by comcast.net (sccrmhc12) with ESMTP id <2006041204274101200hvgoae>; Wed, 12 Apr 2006 04:27:41 +0000 Message-ID: <443C81BF.6040407@gmail.com> Date: Wed, 12 Apr 2006 00:27:43 -0400 From: John Cruz Organization: Cruz Web Development User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: Chris Maness References: <441C45BA.1030106@chrismaness.com> <894280FF-CB83-4EEA-9CAD-422A34068354@taconic.net> <443C7E26.2000803@chrismaness.com> In-Reply-To: <443C7E26.2000803@chrismaness.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Jonathan Franks , freebsd-questions@freebsd.org Subject: Re: How to Stop Bruit Force ssh Attempts? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: john@cruzweb.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Apr 2006 04:27:42 -0000 I used to have problems with brute force attempts as well. I just changed the port that SSH uses (TCP/IP port, not "ports collection" port) and the problems have stopped. I made it something that means something to me and maybe not others, so it's a simple and powerful way of getting the job done. -John Chris Maness wrote: > Jonathan Franks wrote: > >> >> On Mar 18, 2006, at 12:39 PM, Chris Maness wrote: >> >>> In my auth log I see alot of bruit force attempts to login via >>> ssh. Is there a way I can have the box automatically kill any tcp/ >>> ip connectivity to hosts that try and fail a given number of >>> times? Is there a port or something that I can install to give >>> this kind of protection. I'm still kind of a FreeBSD newbie. >> >> >> If you are using PF, you can use source tracking to drop the >> offenders in to a table... perhaps after a certain number of >> attempts in a given time (say, 5 in a minute). Once you have the >> table you're in business... you can block based on it... and then >> set up a cron job to copy the table to disk every so often (perhaps >> once every two minutes). It works very well for me, YMMV. >> >> If you don't want to block permanently, you could use cron to flush >> the table every so often too... I don't bother though. >> >> -Jonathan > > I use a port called DenyHost. It adds an entry to hosts.allow that > denies access. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" >