From owner-freebsd-questions@FreeBSD.ORG  Tue Jan 11 14:19:23 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2728B16A4CE
	for <freebsd-questions@freebsd.org>;
	Tue, 11 Jan 2005 14:19:23 +0000 (GMT)
Received: from maynard.mail.mindspring.net (maynard.mail.mindspring.net
	[207.69.200.243])
	by mx1.FreeBSD.org (Postfix) with ESMTP id BF8C443D1D
	for <freebsd-questions@freebsd.org>;
	Tue, 11 Jan 2005 14:19:22 +0000 (GMT)
	(envelope-from keebler@mindspring.com)
Received: from user-11faknj.dsl.mindspring.com ([66.245.82.243]
	helo=[192.168.1.100])
	by maynard.mail.mindspring.net with esmtp (Exim 3.33 #1)
	id 1CoMrf-0002YU-00; Tue, 11 Jan 2005 09:19:19 -0500
Message-ID: <41E3E02B.9080800@mindspring.com>
Date: Tue, 11 Jan 2005 09:18:19 -0500
From: Carleton Vaughn <keebler@mindspring.com>
User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Gene <listmail@Bomgardner.net>
References: <41E36115.6050003@Bomgardner.net>
In-Reply-To: <41E36115.6050003@Bomgardner.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
cc: "freebsd-questions@FreeBSD. ORG" <freebsd-questions@freebsd.org>
Subject: Re: High levels of breakin attempts
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jan 2005 14:19:23 -0000

Gene wrote:
> Over the past few months there have been a remarkably high level  of 
> brute force attacks logged by sshd. I was wondering, is there a way that 
> sshd (or some other package) can monitor login attempts and if more than 
> say 5 or 6 attempts are made to login from a particular ip address, 
> temporarily block that address (perhaps at the firewall)? It'd be real 
> satisfying to just dump the attackers' packets to the bit bucket and 
> slow 'em down a bit.

Not that I'm an expert (and not that that's stopping me), but this can 
be done by configuring sshd to use PAM and selecting a PAM module such 
as pam_abl that can blacklist sites that send too many attempts.  See 
http://www.kernel.org/pub/linux/libs/pam/modules.html for examples.

-- 
Carleton Vaughn
College Park, Georgia, USA