From owner-freebsd-questions@FreeBSD.ORG  Wed Jan 26 16:57:40 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8456616A4CE
	for <freebsd-questions@freebsd.org>;
	Wed, 26 Jan 2005 16:57:40 +0000 (GMT)
Received: from szamoca.krvarr.bc.ca (s142-179-111-232.bc.hsia.telus.net
	[142.179.111.232])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 17F9B43D55
	for <freebsd-questions@freebsd.org>;
	Wed, 26 Jan 2005 16:57:40 +0000 (GMT)
	(envelope-from sandy@krvarr.bc.ca)
Received: from szamoca.krvarr.bc.ca (localhost [127.0.0.1])
	by szamoca.krvarr.bc.ca (8.13.1/8.12.11) with ESMTP id j0QGvd0e021809;
	Wed, 26 Jan 2005 08:57:39 -0800 (PST)
	(envelope-from sandy@szamoca.krvarr.bc.ca)
Received: (from sandy@localhost)
	by szamoca.krvarr.bc.ca (8.13.1/8.12.11/Submit) id j0QGvY0B021806;
	Wed, 26 Jan 2005 08:57:34 -0800 (PST)
	(envelope-from sandy)
From: Sandy Rutherford <sandy@krvarr.bc.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <16887.52221.648112.336027@szamoca.krvarr.bc.ca>
Date: Wed, 26 Jan 2005 08:57:33 -0800
To: Christian Tischler <mail@myunix.net>
In-Reply-To: <41F60ECC.8050206@myunix.net>
References: <41F60ECC.8050206@myunix.net>
X-Mailer: VM 7.07 under Emacs 21.3.1
cc: FreeBSD Questions <freebsd-questions@freebsd.org>
Subject: Re: Banning ips for some time?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jan 2005 16:57:40 -0000

Christian,

On Tue, 25 Jan 2005 you wrote:

 > .... my servers sshd reports 30 to 50 failed 
 > root/operator/etc. logins a day. I would like to block the incoming ip 
 > for a few days automaticly after e.g failed login requests.
 > Currently I am using ipf, but it would be no problem to use any other 
 > FreeBSD firewall.

For peace of mind, you can always use the AllowGroups, AllowUsers,
PermitRootLogin, .... options in sshd_config to remove ssh access to
root, uucp, operator, and other system accounts.  I only permit ssh
access to user accounts.  The scripts which are making these login
attempts are not typically going to try user accounts for obvious
reasons.  If you need off-site root access you should be using su or
sudo bash anyway.  I would recommend always turning off root access
via ssh.

...Sandy