From owner-freebsd-questions@FreeBSD.ORG Tue Jan 11 14:40:59 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC73E16A4CE for ; Tue, 11 Jan 2005 14:40:59 +0000 (GMT) Received: from mail2.speakeasy.net (mail2.speakeasy.net [216.254.0.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6F05A43D31 for ; Tue, 11 Jan 2005 14:40:59 +0000 (GMT) (envelope-from freebsd-questions-local@be-well.ilk.org) Received: (qmail 6952 invoked from network); 11 Jan 2005 14:40:59 -0000 Received: from dsl092-078-145.bos1.dsl.speakeasy.net (HELO be-well.ilk.org) ([66.92.78.145]) (envelope-sender ) by mail2.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 11 Jan 2005 14:40:59 -0000 Received: by be-well.ilk.org (Postfix, from userid 1147) id 50E8B49; Tue, 11 Jan 2005 09:40:58 -0500 (EST) Sender: lowell@be-well.ilk.org To: Gene , "freebsd-questions@FreeBSD. ORG" References: <41E36115.6050003@Bomgardner.net> <41E3E02B.9080800@mindspring.com> From: Lowell Gilbert Date: 11 Jan 2005 09:40:58 -0500 In-Reply-To: <41E3E02B.9080800@mindspring.com> Message-ID: <44llb0hvut.fsf@be-well.ilk.org> Lines: 33 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: High levels of breakin attempts X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd-questions@freebsd.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jan 2005 14:40:59 -0000 Carleton Vaughn writes: > Gene wrote: > > Over the past few months there have been a remarkably high level of > > brute force attacks logged by sshd. I was wondering, is there a way > > that sshd (or some other package) can monitor login attempts and if > > more than say 5 or 6 attempts are made to login from a particular ip > > address, temporarily block that address (perhaps at the firewall)? > > It'd be real satisfying to just dump the attackers' packets to the > > bit bucket and slow 'em down a bit. > > Not that I'm an expert (and not that that's stopping me), but this can > be done by configuring sshd to use PAM and selecting a PAM module such > as pam_abl that can blacklist sites that send too many attempts. See > http://www.kernel.org/pub/linux/libs/pam/modules.html for examples. Always remember, however, to be careful that this doesn't open you up to an easy denial-of-service attack. If all somebody has to do is try to log in a half-dozen times to lock out the IP address they're connecting from, you may be making it possible for them to attack your operation without breaking into your machine. "5 or 6" login attempts doesn't remotely constitute a "brute force" attack. From what I've seen on my own machine, these attempts seem to be trying passwords from a particular Linux distribution that shipped with default passwords on a number of accounts. Sometimes it makes me feel better to lock out such "attacks," but I don't actually kid myself into thinking that I'm either improving my own security or inconveniencing the attacker noticeably. -- Lowell Gilbert, embedded/networking software engineer, Boston area http://be-well.ilk.org/~lowell/