From owner-freebsd-security@FreeBSD.ORG  Sun Sep 26 21:36:43 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D937E16A4CE
	for <freebsd-security@freebsd.org>;
	Sun, 26 Sep 2004 21:36:43 +0000 (GMT)
Received: from freebee.digiware.nl (dsl439.iae.nl [212.61.63.187])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 681F943D48
	for <freebsd-security@freebsd.org>;
	Sun, 26 Sep 2004 21:36:42 +0000 (GMT)	(envelope-from wjw@withagen.nl)
Received: from [212.61.27.71] (dual [212.61.27.71])
	by freebee.digiware.nl (8.12.10/8.12.10) with ESMTP id i8QLad9S093611;
	Sun, 26 Sep 2004 23:36:40 +0200 (CEST)
	(envelope-from wjw@withagen.nl)
Message-ID: <41573667.6080509@withagen.nl>
Date: Sun, 26 Sep 2004 23:36:39 +0200
From: Willem Jan Withagen <wjw@withagen.nl>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
	rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: "David D.W. Downey" <david.downey@gmail.com>
References: <414C2798.7060509@withagen.nl>
	<6917b781040918103077c76f0c@mail.gmail.com>	 <20040924214909.GA784@alex.lan>
	<6917b78104092601339f77948@mail.gmail.com>
In-Reply-To: <6917b78104092601339f77948@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
cc: "freebsd-security@FreeBSD.ORG" <freebsd-security@freebsd.org>
Subject: Re: Attacks on ssh port
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Sep 2004 21:36:44 -0000

David D.W. Downey wrote:

>On Fri, 24 Sep 2004 23:49:09 +0200, Alex de Kruijff
><freebsd@akruijff.dds.nl> wrote:
>  
>
>>>Then you can still see the attempts (and thus log the IP information
>>>for contacting the abuse@ for the responsible IP controller) while
>>>limiting your log sizes.
>>>      
>>>
>>This only logs the first tree catches (when the log attribuut is set)
>>per rule. You may want to set this a little higher like 100.
>>
>>    
>>
>
>while I agree my example of 3 was low (meant only to instruct) I would
>say more along the lines of 25. if someone is hitting you 25 times in
>a row and getting tagged by that rule, you can bet your butt it's not
>a client of your's.
>
It is even simpler:
    Anybody trying to use root as user for ssh-login is not a customer 
of mine....
    And if he has not figured out that he's doing something wrong after 
3 tries, little chance that he is really just making a mistake.

--WjW