From owner-freebsd-questions@freebsd.org Tue Aug 25 15:15:28 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 280CF9C2A8C for ; Tue, 25 Aug 2015 15:15:28 +0000 (UTC) (envelope-from dan@buildingonline.com) Received: from alisocreek.buildingonline.net (alisocreek.buildingonline.net [204.109.62.198]) by mx1.freebsd.org (Postfix) with ESMTP id 09B8E23B for ; Tue, 25 Aug 2015 15:15:27 +0000 (UTC) (envelope-from dan@buildingonline.com) Received: by alisocreek.buildingonline.net (Postfix, from userid 58) id E8AA4BCA1F5; Tue, 25 Aug 2015 08:09:28 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on alisocreek.buildingonline.net X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham autolearn_force=no version=3.4.0 Received: from Whistler.local (busarow2 [69.51.79.5]) (Authenticated sender: dan@dpcsys.com) by alisocreek.buildingonline.net (Postfix) with ESMTPA id 21C64BC9E37 for ; Tue, 25 Aug 2015 08:09:28 -0700 (PDT) Subject: Re: Blocking SSH access based on bad logins? To: freebsd-questions@freebsd.org References: <20150825162841.b8f840ab.freebsd@edvax.de> <1440514692.6714.13.camel@michaeleichorn.com> From: Dan Busarow Organization: BuildingOnline.com Message-ID: <55DC8527.7000802@buildingonline.com> Date: Tue, 25 Aug 2015 09:09:27 -0600 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 In-Reply-To: <1440514692.6714.13.camel@michaeleichorn.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Aug 2015 15:15:28 -0000 On 8/25/15 8:58 AM, Michael B. Eichorn wrote: > On Tue, 2015-08-25 at 16:28 +0200, Polytropon wrote: >> On Tue, 25 Aug 2015 09:16:16 -0400, Jaime Kikpole wrote: >>> I've noticed a number of SSH login attempts for the username "admin" >>> on my FreeBSD systems. None of them have a username of "admin". So >>> I >>> was wondering if there was a way (even via a port) to tell the >>> system, >>> "If an IP tries to login as 'admin', block that IP." >> >> I think "fail2ban" is the solution you are searching for. >> >> >> >>> I'm already using SSHGuard to block certain obvious attempts to break >>> in. I'm fine with altering its configs or adding/switching to a new >>> port. >> >> You'll find "fail2ban" in the FreeBSD ports collection >> along with some documentation. It's easy to set up. :-) > > I thought SSHGuard and fail2ban were both equally vaild solutions to ssh > banning. Both use the logged failed attempt and create system level block > to the offending IP. Am I wrong on this? > I use sshguard on FreeBSD and prefer it. I use fail2ban on the few Debian boxes I manage. Dan