From owner-freebsd-isp@FreeBSD.ORG  Mon Jul 25 16:27:46 2005
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
X-Original-To: freebsd-isp@freebsd.org
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1253E16A41F
	for <freebsd-isp@freebsd.org>; Mon, 25 Jul 2005 16:27:46 +0000 (GMT)
	(envelope-from andpet@telia.com)
Received: from pne-smtpout2-sn1.fre.skanova.net
	(pne-smtpout2-sn1.fre.skanova.net [81.228.11.159])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8FC9D43D45
	for <freebsd-isp@freebsd.org>; Mon, 25 Jul 2005 16:27:45 +0000 (GMT)
	(envelope-from andpet@telia.com)
Received: from [192.168.2.2] (81.233.247.164) by
	pne-smtpout2-sn1.fre.skanova.net (7.2.060.1)
	id 42B937170053F839 for freebsd-isp@freebsd.org;
	Mon, 25 Jul 2005 18:27:44 +0200
Message-ID: <42E51310.60102@telia.com>
Date: Mon, 25 Jul 2005 18:28:00 +0200
From: Andreas Pettersson <andpet@telia.com>
User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-isp@freebsd.org
References: <f72a639a050719121244719e22@mail.gmail.com>	<42DEAE1F.8000702@novusordo.net>	<d64aa176050720174322ebc621@mail.gmail.com>
	<77588585.20050725010451@rulez.sk>
In-Reply-To: <77588585.20050725010451@rulez.sk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: ssh brute force
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jul 2005 16:27:46 -0000

Daniel Gerzo wrote:

>Hello Chris,
>
>Thursday, July 21, 2005, 2:43:08 AM, si tukal:
>
>  
>
>>On 7/20/05, Chris Jones <cdjones@novusordo.net> wrote:
>>    
>>
>>>I'm looking at having a script look at SSH's log output for repeated
>>>failed connection attempts from the same address, and then blocking that
>>>address through pf (I'm not yet sure whether I want to do it temporarily
>>>or permanently).
>>>      
>>>
>>Matt Dillon wrote an app in C to do just that, with ipfw.  
>>http://leaf.dragonflybsd.org/mailarchive/users/2005-03/msg00008.html
>>    
>>
>>Scott Ullrich modified it to work with pf.  
>>http://pfsense.org/cgi-bin/cvsweb.cgi/tools/sshlockout_pf.c
>>    
>>
>
>I have made security/bruteforceblocker
>It's a perl script that works with opensshd's logs and pf
>  
>

And here is another one, similar to Daniel's, but this one uses ipfw 
instead,
AND another neat thing is that a block isn't permanent. There's a janitor
cleaning up ipfw rules after a specified time.

http://anp.ath.cx/sshit/

I made it the other day, so I haven't had time to hardcore test it.
Let me know if it's not working, or if it is ;-)

/Andreas