From owner-freebsd-questions@FreeBSD.ORG Fri Jul 1 13:41:12 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7536516A41F for ; Fri, 1 Jul 2005 13:41:12 +0000 (GMT) (envelope-from freebsd-questions@jc-news.com) Received: from phantom.chiptech.com (phantom.chiptech.com [69.41.161.32]) by mx1.FreeBSD.org (Postfix) with SMTP id 1819A43D1D for ; Fri, 1 Jul 2005 13:41:11 +0000 (GMT) (envelope-from freebsd-questions@jc-news.com) Received: (qmail 87314 invoked from network); 1 Jul 2005 13:41:11 -0000 Received: from unknown (HELO ?127.0.0.1?) (64.115.119.58) by 0 with SMTP; 1 Jul 2005 13:41:11 -0000 Message-ID: <42C54872.50106@jc-news.com> Date: Fri, 01 Jul 2005 09:43:14 -0400 From: John Cholewa User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.3) Gecko/20040910 MultiZilla/1.6.4.0b X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: autoblocking many ssh failed logins from the same IP.... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jul 2005 13:41:12 -0000 Jun 30 10:36:05 phantom sshd[70478]: Failed password for news from 212.88.182.121 port 51218 ssh2 Jun 30 10:36:16 phantom sshd[70500]: Failed password for sshd from 212.88.182.121 port 51608 ssh2 Jun 30 10:36:39 phantom sshd[70569]: Failed password for root from 212.88.182.121 port 52297 ssh2 I get the above a lot in my logs (except more of it). Each day, a couple hundred failed attempts to log in from one or sometimes two IP addresses shows up. I don't have anything like ipf running, and since this machine is about fifteen hundred miles away from me, I don't want to experiment with software firewalling right now. That known, is there any way to tell sshd (or some more powerful daemon) to stop accepting login attempts from a given IP if it tries and fails to log in too many times in a limited duration (like in the same minute)? I suppose, now that I'm thinking about it, that it'd be best to actually just read the man pages and figure out how to get sshd to ignore any attempt to attach from ports other than 22. I mean, why are other machines trying to ssh in at ports over fifty thousand anyway? -- -JC http://www.livejournal.com/users/jcholewa/ PS: Oh, yeah ... "FreeBSD 4.8-RELEASE #0: Thu Apr 3 10:53:38 GMT 2003" ; openssh-3.6.1_5 ; openssl-0.9.7d_1