From owner-freebsd-questions@FreeBSD.ORG  Tue Jan 11 08:12:35 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 86A2016A4CE
	for <freebsd-questions@freebsd.org>;
	Tue, 11 Jan 2005 08:12:35 +0000 (GMT)
Received: from top.daemonsecurity.com (FW-182-254.go.retevision.es
	[62.174.254.182])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F06FA43D31
	for <freebsd-questions@freebsd.org>;
	Tue, 11 Jan 2005 08:12:34 +0000 (GMT)
	(envelope-from norgaard@locolomo.org)
Received: from [IPv6???1] (localhost.daemonsecurity.com [127.0.0.1])
	by top.daemonsecurity.com (Postfix) with ESMTP id 71305FD022;
	Tue, 11 Jan 2005 09:12:33 +0100 (CET)
Message-ID: <41E38A6C.1070601@locolomo.org>
Date: Tue, 11 Jan 2005 09:12:28 +0100
From: Erik Norgaard <norgaard@locolomo.org>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.2) Gecko/20041114
X-Accept-Language: en, en-us, da, it, es
MIME-Version: 1.0
To: Gene <listmail@Bomgardner.net>
References: <41E36115.6050003@Bomgardner.net>
In-Reply-To: <41E36115.6050003@Bomgardner.net>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
cc: "freebsd-questions@FreeBSD. ORG" <freebsd-questions@freebsd.org>
Subject: Re: High levels of breakin attempts
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jan 2005 08:12:35 -0000

Gene wrote:
> Over the past few months there have been a remarkably high level  of 
> brute force attacks logged by sshd. I was wondering, is there a way that 
> sshd (or some other package) can monitor login attempts and if more than 
> say 5 or 6 attempts are made to login from a particular ip address, 
> temporarily block that address (perhaps at the firewall)? It'd be real 
> satisfying to just dump the attackers' packets to the bit bucket and 
> slow 'em down a bit.

Sorry, but this topic was discussed just before you posted - see 
"Blacklisting IPs" and it is regularly discussed on various lists.
Everyone asks that same question, and everyone propose the same 
solutions, could this be added to the faq?

Cheers, Erik
-- 
Ph: +34.666334818                                  web: www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID:  A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2