From owner-freebsd-questions@FreeBSD.ORG  Tue Jan 25 12:20:40 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D7E5F16A4CE
	for <freebsd-questions@freebsd.org>;
	Tue, 25 Jan 2005 12:20:40 +0000 (GMT)
Received: from vs3.bgnett.no (vs3.bgnett.no [194.54.96.185])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D37D143D2D
	for <freebsd-questions@freebsd.org>;
	Tue, 25 Jan 2005 12:20:39 +0000 (GMT)	(envelope-from peter@bgnett.no)
Received: from amidala.datadok.no.bgnett.no (amidala.datadok.no
	[194.54.103.98])
	by vs3.bgnett.no (8.12.9p2/8.12.9) with ESMTP id j0PCKR5n059271
	for <freebsd-questions@freebsd.org>;
	Tue, 25 Jan 2005 13:20:28 +0100 (CET)	(envelope-from peter@bgnett.no)
Sender: peter@amidala.datadok.no
To: freebsd-questions@freebsd.org
References: <41F60ECC.8050206@myunix.net>
From: peter@bgnett.no (Peter N. M. Hansteen)
Date: 25 Jan 2005 13:19:47 +0100
In-Reply-To: <41F60ECC.8050206@myunix.net>
Message-ID: <86k6q1lmzg.fsf@amidala.datadok.no>
Lines: 23
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-bgnett.no-virusscanner: Found to be clean
X-Envelope-To: freebsd-questions@freebsd.org
Subject: Re: Banning ips for some time?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jan 2005 12:20:41 -0000

Christian Tischler <mail@myunix.net> writes:

> as I have an DSL line witch is 24/7 online (coming from an big and 
> popular provider)  my servers sshd reports 30 to 50 failed 
> root/operator/etc. logins a day. I would like to block the incoming ip 
> for a few days automaticly after e.g failed login requests.

As others have said, this is probably more of a nuisance issue than a
security issue. 

Anyway, this was discussed recently on undeadly.org (aka OpenBSD
Journal). The discussion, which offers some interesting input (some of
it OpenBSD specific or at least requiring pf), is available at
http://undeadly.org/cgi?action=article&sid=20041231195454

Then again, at least in some cases, the people listed in the whois info
for the offending IP appreciate a politely worded notification. Quite
likely they do not want this kind of activity either.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"