From owner-freebsd-questions@FreeBSD.ORG  Wed Dec  1 18:02:50 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 48F7216A4CE
	for <questions@freebsd.org>; Wed,  1 Dec 2004 18:02:50 +0000 (GMT)
Received: from freedombi.com (mcpeakmedia.com [207.179.98.220])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E0BFD43D39
	for <questions@freebsd.org>; Wed,  1 Dec 2004 18:02:49 +0000 (GMT)
	(envelope-from charles@idealso.com)
Received: by freedombi.com (Postfix, from userid 1000)
	id 777FD724BC; Wed,  1 Dec 2004 12:41:36 -0500 (EST)
Received: from freedombi.com (localhost [192.168.10.108])
	by freedombi.com (Postfix) with ESMTP
	id E370372480; Wed,  1 Dec 2004 12:41:34 -0500 (EST)
Received: from 24.11.146.21
        (SquirrelMail authenticated user charles);
        by freedombi.com with HTTP;
        Wed, 1 Dec 2004 12:41:34 -0500 (EST)
Message-ID: <43711.24.11.146.21.1101922894.squirrel@24.11.146.21>
Date: Wed, 1 Dec 2004 12:41:34 -0500 (EST)
From: "Charles Ulrich" <charles@idealso.com>
To: questions@freebsd.org
User-Agent: SquirrelMail/1.4.3a
X-Mailer: SquirrelMail/1.4.3a
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on freedombi.com
X-Spam-Level: 
X-Spam-Status: No, hits=0.0 required=7.0 tests=none autolearn=no version=2.63
Subject: blacklisting failed ssh attempts
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Dec 2004 18:02:50 -0000


This morning I noticed that an attacker spent over a full hour trying to
brute-force accounts and passwords via ssh on one of our machines. These kinds
of attacks are becoming more frequent.

I was wondering: does anyone know of a way to blacklist a certain IP (ideally,
just for a certain time period) after a certain number of failed login
attempts via ssh? I could change the port that sshd listens on, but I'd rather
find a better solution, one that isn't just another layer of obscurity.

Thanks!

-- 
Charles Ulrich
Ideal Solution, LLC - http://www.idealso.com