From owner-freebsd-questions@FreeBSD.ORG  Wed Apr  6 07:29:00 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 11C9816A4CE
	for <freebsd-questions@freebsd.org>;
	Wed,  6 Apr 2005 07:29:00 +0000 (GMT)
Received: from smtp812.mail.sc5.yahoo.com (smtp812.mail.sc5.yahoo.com
	[66.163.170.82])	by mx1.FreeBSD.org (Postfix) with SMTP id A980E43D2D
	for <freebsd-questions@freebsd.org>;
	Wed,  6 Apr 2005 07:28:59 +0000 (GMT)
	(envelope-from krinklyfig@spymac.com)
Received: from unknown (HELO smogmonster.com)
	(jtinnin@pacbell.net@64.171.3.164 with login)
	by smtp812.mail.sc5.yahoo.com with SMTP; 6 Apr 2005 07:28:59 -0000
From: Joshua Tinnin <krinklyfig@spymac.com>
To: freebsd-questions@freebsd.org,
	"Edwin D. Vinas" <xmisoy@gmail.com>
Date: Wed, 6 Apr 2005 00:28:58 -0700
User-Agent: KMail/1.8
References: <36f5bbba050406001514562df7@mail.gmail.com>
In-Reply-To: <36f5bbba050406001514562df7@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200504060028.58572.krinklyfig@spymac.com>
Subject: Re: too many illegal connection attempts through ssh
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Apr 2005 07:29:00 -0000

On Wednesday 06 April 2005 00:15, "Edwin D. Vinas" <xmisoy@gmail.com> 
wrote:
> hello,
>
> shown below is snapshot of too many illegal attempts to login to my
> server from a suspicious hacker. this is taken from the
> "/var/log/auth.log". my question is, how do i automatically block an
> IP address if it is attempting to guess my login usernames?

The easiest way to fix this problem most of the time is just change the 
ssh port to something else, like a high numbered port that's otherwise 
unassigned.

> can i 
> configure the firewall to check the instances a certain IP has
> attempted to access/ssh the sevrer, and if it has failed to login for
> about "x" number of attempts, it will be blocked automatically?

Yes, the best way to deal with this is through the firewall rather than 
sshd, if you still get people hammering away at your ssh port even 
after you change it. What are you using? You might want to check in 
chapter 24 of the handbook ...

- jt