From owner-freebsd-questions@FreeBSD.ORG  Thu Dec  4 02:54:02 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 802F9106564A
	for <freebsd-questions@freebsd.org>;
	Thu,  4 Dec 2008 02:54:02 +0000 (UTC)
	(envelope-from danielby@slightlystrange.org)
Received: from mtaout02-winn.ispmail.ntl.com (mtaout02-winn.ispmail.ntl.com
	[81.103.221.48])
	by mx1.freebsd.org (Postfix) with ESMTP id 08D398FC13
	for <freebsd-questions@freebsd.org>;
	Thu,  4 Dec 2008 02:54:01 +0000 (UTC)
	(envelope-from danielby@slightlystrange.org)
Received: from aamtaout02-winn.ispmail.ntl.com ([81.103.221.35])
	by mtaout02-winn.ispmail.ntl.com
	(InterMail vM.7.08.04.00 201-2186-134-20080326) with ESMTP id
	<20081204025400.EWLX1717.mtaout02-winn.ispmail.ntl.com@aamtaout02-winn.ispmail.ntl.com>
	for <freebsd-questions@freebsd.org>; Thu, 4 Dec 2008 02:54:00 +0000
Received: from catflap.slightlystrange.org ([82.21.101.171])
	by aamtaout02-winn.ispmail.ntl.com
	(InterMail vG.2.02.00.01 201-2161-120-102-20060912) with ESMTP id
	<20081204025400.GRQN21638.aamtaout02-winn.ispmail.ntl.com@catflap.slightlystrange.org>
	for <freebsd-questions@freebsd.org>; Thu, 4 Dec 2008 02:54:00 +0000
Received: by catflap.slightlystrange.org (Postfix, from userid 106)
	id 1B71F613F; Thu,  4 Dec 2008 02:53:58 +0000 (GMT)
Received: from torus.slightlystrange.org (torus.slightlystrange.org
	[10.1.3.50])
	by catflap.slightlystrange.org (Postfix) with SMTP id A25266133
	for <freebsd-questions@freebsd.org>;
	Thu,  4 Dec 2008 02:53:57 +0000 (GMT)
Received: by torus.slightlystrange.org (sSMTP sendmail emulation);
	Thu,  4 Dec 2008 02:53:57 +0000
From: "Daniel Bye" <danielby@slightlystrange.org>
Date: Thu, 4 Dec 2008 02:53:57 +0000
To: FreeBSD Questions <freebsd-questions@freebsd.org>
Message-ID: <20081204025357.GD19575@torus.slightlystrange.org>
Mail-Followup-To: FreeBSD Questions <freebsd-questions@freebsd.org>
References: <D6D13508-3ED2-4DF3-ACF4-F09EB64784E3@goldmark.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="10jrOL3x2xqLmOsH"
Content-Disposition: inline
In-Reply-To: <D6D13508-3ED2-4DF3-ACF4-F09EB64784E3@goldmark.org>
User-Agent: Mutt/1.4.2.3i
X-PGP-Fingerprint: D349 B109 0EB8 2554 4D75  B79A 8B17 F97C 1622 166A
X-Operating-System: FreeBSD 7.1-PRERELEASE i386
X-Cloudmark-Analysis: v=1.0 c=1 a=SMUadleZDFQA:10 a=9jCXX4eCVjEA:10
	a=ehNlctqhnw0A:10 a=OjOylbvFfjOF8RcauBYA:9
	a=xbZC19_8auN6vMK69WYA:7 a=M884Xh6Upt3SgHkCP-sbUOmw4HsA:4
	a=LY0hPdMaydYA:10 a=dy-bp9KF4kQMBqT3HY0A:9
	a=fcLQ5G2tbbVwjo4PUZ2HZ7cmEF0A:4 a=rPt6xJ-oxjAA:10
Subject: Re: Firewalls using a DNSbl (and distributed ssh attacks)
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Daniel Bye <freebsd-questions@slightlystrange.org>
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Dec 2008 02:54:02 -0000


--10jrOL3x2xqLmOsH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Dec 03, 2008 at 07:43:26PM -0600, Jeffrey Goldberg wrote:
> It's not a big issue, but I'm wondering if there is a DNSBl that lists =
=20
> IPs that are engaging in brute force ssh attacks.  And if there is =20
> such a list, is there a way to integrate that information into a =20
> firewall or sshd.
>=20
> As I've said this really isn't a big issue for me, as the brute force =20
> attempts at sshd are nothing but an annoyance as I review logs.
>=20
> The attacks that I'm seeing appear to be coordinated and distributed.  =
=20
> That is, there will be one attempt on username "fred" from one IP =20
> immediately followed by an attempt on "freddy" from another IP =20
> followed by an attempt on "fredrick" from a third source and so on.

I don't know of any DNSbl type service, but I am using DenyHosts with
very great success. Its synchronisation feature allows participating
instances of the script to share IP addresses of misbehaving hosts,
so as soon as an address hits the database, it's only a matter of an
hour or so before your instance can start blocking it.

The basic setup uses TCP wrappers to block offending hosts, but I am
using the datafile it maintains as a file-based table in pf, which I
reload periodically from a cronjob.

Dan

--=20
Daniel Bye
                                                                     _
                                              ASCII ribbon campaign ( )
                                         - against HTML, vCards and  X
                                - proprietary attachments in e-mail / \

--10jrOL3x2xqLmOsH
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)

iEYEARECAAYFAkk3RkUACgkQixf5fBYiFmonhgCgslPAyIXD1ARigWJnB5x2PBZO
BoEAmgPejzMk4uNU1qPnRkaaSn4eAfku
=6/K7
-----END PGP SIGNATURE-----

--10jrOL3x2xqLmOsH--