From owner-freebsd-questions@FreeBSD.ORG Thu Dec 2 06:34:58 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6516616A4CE for ; Thu, 2 Dec 2004 06:34:58 +0000 (GMT) Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [65.75.192.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id EE70E43D5A for ; Thu, 2 Dec 2004 06:34:57 +0000 (GMT) (envelope-from tedm@toybox.placo.com) Received: from tedwin2k (nat-rtr.freebsd-corp-net-guide.com [65.75.197.130]) iB26Xkv53402; Wed, 1 Dec 2004 22:33:52 -0800 (PST) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "Charles Ulrich" , Date: Wed, 1 Dec 2004 22:33:46 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 In-Reply-To: <43711.24.11.146.21.1101922894.squirrel@24.11.146.21> Subject: RE: blacklisting failed ssh attempts X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Dec 2004 06:34:58 -0000 Charles, This shouldn't bother you unless your in the habit of using guessible passwords. However if you can't let it go I suggest you run sshd with the -i option, out of inetd. Of course you need a fast machine so that the server key is generated in a second or so (or lower your key length) Then replace inetd with xinetd and setup all the DoS stuff on that. Ted > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Charles Ulrich > Sent: Wednesday, December 01, 2004 9:42 AM > To: questions@freebsd.org > Subject: blacklisting failed ssh attempts > > > > This morning I noticed that an attacker spent over a full hour trying to > brute-force accounts and passwords via ssh on one of our > machines. These kinds > of attacks are becoming more frequent. > > I was wondering: does anyone know of a way to blacklist a certain > IP (ideally, > just for a certain time period) after a certain number of failed login > attempts via ssh? I could change the port that sshd listens on, > but I'd rather > find a better solution, one that isn't just another layer of obscurity. > > Thanks! > > -- > Charles Ulrich > Ideal Solution, LLC - http://www.idealso.com > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" >