From owner-freebsd-questions@FreeBSD.ORG Mon Sep 19 22:08:11 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A7CD1106566B for ; Mon, 19 Sep 2011 22:08:11 +0000 (UTC) (envelope-from tundra@tundraware.com) Received: from ozzie.tundraware.com (ozzie.tundraware.com [75.145.138.73]) by mx1.freebsd.org (Postfix) with ESMTP id 204CF8FC1C for ; Mon, 19 Sep 2011 22:08:10 +0000 (UTC) Received: from [192.168.0.2] (viper.tundraware.com [192.168.0.2]) (authenticated bits=0) by ozzie.tundraware.com (8.14.5/8.14.5) with ESMTP id p8JLqWaU021999 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Mon, 19 Sep 2011 16:52:32 -0500 (CDT) (envelope-from tundra@tundraware.com) Message-ID: <4E77B99D.2040807@tundraware.com> Date: Mon, 19 Sep 2011 16:52:29 -0500 From: Tim Daneliuk User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20110902 Thunderbird/6.0.2 MIME-Version: 1.0 To: James Strother References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (ozzie.tundraware.com [75.145.138.73]); Mon, 19 Sep 2011 16:52:32 -0500 (CDT) X-TundraWare-MailScanner-Information: Please contact the ISP for more information X-TundraWare-MailScanner-ID: p8JLqWaU021999 X-TundraWare-MailScanner: Found to be clean X-TundraWare-MailScanner-From: tundra@tundraware.com X-Spam-Status: No Cc: freebsd-questions@freebsd.org Subject: Re: limit number of ssh connections X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Sep 2011 22:08:11 -0000 On 9/19/2011 2:05 PM, James Strother wrote: > Does anyone know a good way of limiting the number of ssh attempts > from a single IP address? > > I found the following website, which describes a variety of approaches: > > http://www.freebsdwiki.net/index.php/Block_repeated_illegal_or_failed_SSH_logins > > > But I am honestly not really happy with any of them. Continuously > polling log files for regex hits seems...well crude. Just to give you > an idea of what I mean, here were some of the issues I had. The > sshd-scan.sh script allows IPs to be reinstated, but the timing is > dependent on how frequently you rotate logs. sshguard has a pretty > website, but I can't actually find much useful documentation on how to > configure it. fail2ban looks like it might work with sufficient work, > but the defaults are terrible. By default, every time an IP is > reinstated, all IPs are reinstated. Not to mention, at present I > can't seem to get it to trigger any hits. > > I suppose I could keep shopping, but the truth is I just think polling > log files is the wrong way to solve the problem. Anything based on > this approach is going to have a long latency and be highly dependent > on the unspecified and unstable formatting of log files (see > http://www.fail2ban.org/wiki/index.php/HOWTO_Mac_OS_X_Server_(10.4) > and the troubles an exclamation point can cause). > > I would much much rather do something like this: > > http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/ > > Does anyone know a way to do something similar with ipfw? > > > Thanks in advance, > Jim > _______________________________________________ > They cannot attack what they cannot see. That's why I wrote this: http://www.tundraware.com/Software/tperimeter/ It allows you to restrict access to a fixed set of hosts (via tcpwrappers) but to dynamically request access from any host (via wrapper rewriting) so long as you have credentials to do so. The current version has a worst-case latency of 5 minutes from the time you remotely request ssh access be granted until it actually is. I am working toward an update that will grant the request immediately. -- ---------------------------------------------------------------------------- Tim Daneliuk tundra@tundraware.com PGP Key: http://www.tundraware.com/PGP/