From owner-freebsd-questions@FreeBSD.ORG  Tue Jan 25 13:30:44 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B16C816A4CE
	for <freebsd-questions@freebsd.org>;
	Tue, 25 Jan 2005 13:30:44 +0000 (GMT)
Received: from smtp810.mail.sc5.yahoo.com (smtp810.mail.sc5.yahoo.com
	[66.163.170.80])	by mx1.FreeBSD.org (Postfix) with SMTP id 5671443D45
	for <freebsd-questions@freebsd.org>;
	Tue, 25 Jan 2005 13:30:44 +0000 (GMT)
	(envelope-from krinklyfig@spymac.com)
Received: from unknown (HELO smogmonster.com)
	(jtinnin@pacbell.net@64.173.27.163 with login)
	by smtp810.mail.sc5.yahoo.com with SMTP; 25 Jan 2005 13:30:44 -0000
From: Joshua Tinnin <krinklyfig@spymac.com>
To: freebsd-questions@freebsd.org
Date: Tue, 25 Jan 2005 05:30:42 -0800
User-Agent: KMail/1.7.2
References: <41F60ECC.8050206@myunix.net>
In-Reply-To: <41F60ECC.8050206@myunix.net>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200501250530.43236.krinklyfig@spymac.com>
cc: Christian Tischler <mail@myunix.net>
Subject: Re: Banning ips for some time?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jan 2005 13:30:44 -0000

On Tuesday 25 January 2005 01:18 am, Christian Tischler 
<mail@myunix.net> wrote:
> Hi,
> as I have an DSL line witch is 24/7 online (coming from an big and
> popular provider)  my servers sshd reports 30 to 50 failed
> root/operator/etc. logins a day. I would like to block the incoming
> ip for a few days automaticly after e.g failed login requests.
> Currently I am using ipf, but it would be no problem to use any other
> FreeBSD firewall.
> This is not only for security reasons, but also to shorten the daily
> security run output :-)

Some people have already provided good suggestions, and this isn't 
something to worry about unless someone does get in, but the easiest 
way to prevent this from happening is to make sshd listen on a 
different port, preferably a high-numbered one. Then, you close port 22 
on your firewall and open the one you designated for sshd, and you 
login to that port from the other machine with ssh. Also, can you go 
without logins, i.e., can you go entirely with key-based 
authentication? That can help, too, as well as preventing root from 
logging in remotely or to ssh (a user in wheel can su), but changing 
the port often stops attempted ssh logins entirely.

- jt