From owner-freebsd-questions@FreeBSD.ORG Mon Sep 19 19:28:59 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A3CB31065679 for ; Mon, 19 Sep 2011 19:28:59 +0000 (UTC) (envelope-from jstrother9109@gmail.com) Received: from mail-wy0-f178.google.com (mail-wy0-f178.google.com [74.125.82.178]) by mx1.freebsd.org (Postfix) with ESMTP id 41C358FC0A for ; Mon, 19 Sep 2011 19:28:58 +0000 (UTC) Received: by wyf23 with SMTP id 23so7260360wyf.37 for ; Mon, 19 Sep 2011 12:28:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=wQazyDsRy4PrvngsU2ArczOBJpWDxMHAZjYRgPlbo28=; b=diqaR4Andr4FAwVnXP/Z8eGndZFiQ4Shf4oimD/z/uf8EFmh8cQhQuWTNZMlaYxoq3 CLrFNGgJ4J0gVsrQGK7hFW0/VIZsUwRwZy+IE7A/MBc3p0OZAwn9bcvEseJ1SbjQdmGQ AkZw2x0pGHxjkU6V1RZJKG0S7h9f3ikkCvKmU= MIME-Version: 1.0 Received: by 10.227.129.77 with SMTP id n13mr815273wbs.37.1316459159042; Mon, 19 Sep 2011 12:05:59 -0700 (PDT) Received: by 10.227.128.141 with HTTP; Mon, 19 Sep 2011 12:05:58 -0700 (PDT) Date: Mon, 19 Sep 2011 15:05:58 -0400 Message-ID: From: James Strother To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: limit number of ssh connections X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Sep 2011 19:28:59 -0000 Does anyone know a good way of limiting the number of ssh attempts from a single IP address? I found the following website, which describes a variety of approaches: http://www.freebsdwiki.net/index.php/Block_repeated_illegal_or_failed_SSH_logins But I am honestly not really happy with any of them. Continuously polling log files for regex hits seems...well crude. Just to give you an idea of what I mean, here were some of the issues I had. The sshd-scan.sh script allows IPs to be reinstated, but the timing is dependent on how frequently you rotate logs. sshguard has a pretty website, but I can't actually find much useful documentation on how to configure it. fail2ban looks like it might work with sufficient work, but the defaults are terrible. By default, every time an IP is reinstated, all IPs are reinstated. Not to mention, at present I can't seem to get it to trigger any hits. I suppose I could keep shopping, but the truth is I just think polling log files is the wrong way to solve the problem. Anything based on this approach is going to have a long latency and be highly dependent on the unspecified and unstable formatting of log files (see http://www.fail2ban.org/wiki/index.php/HOWTO_Mac_OS_X_Server_(10.4) and the troubles an exclamation point can cause). I would much much rather do something like this: http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/ Does anyone know a way to do something similar with ipfw? Thanks in advance, Jim