From owner-freebsd-security@FreeBSD.ORG Sat Aug 19 21:32:18 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1955916A4DA for ; Sat, 19 Aug 2006 21:32:18 +0000 (UTC) (envelope-from lyndon@orthanc.ca) Received: from orthanc.ca (orthanc.ca [209.89.70.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4B26A43D6D for ; Sat, 19 Aug 2006 21:32:05 +0000 (GMT) (envelope-from lyndon@orthanc.ca) Received: from localhost (localhost [127.0.0.1]) (authenticated bits=0) by orthanc.ca (8.13.4/8.13.4) with ESMTP id k7JLVwax045215 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 19 Aug 2006 15:32:02 -0600 (MDT) (envelope-from lyndon@orthanc.ca) Date: Sat, 19 Aug 2006 14:31:58 -0700 (PDT) From: Lyndon Nerenberg To: Pieter de Boer In-Reply-To: <44E76B21.8000409@thedarkside.nl> Message-ID: <20060819142846.N45201@orthanc.ca> References: <44E76B21.8000409@thedarkside.nl> Organization: The Frobozz Magic Homing Pigeon Company MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00,SPF_PASS autolearn=ham version=3.1.3 X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on orthanc.ca Cc: freebsd-security@freebsd.org Subject: Re: SSH scans vs connection ratelimiting X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Aug 2006 21:32:18 -0000 Take a look at /usr/ports/security/bruteforceblocker. It monitors the system log for failed ssh logins, and blocks the sites via pf. It's reasonably configurable, and works very well. I've been running it for months without trouble. Note that it lets you whitelist specific hosts to prevent against someone DOSing you by forging your IP address. --lyndon