From owner-freebsd-questions@FreeBSD.ORG Tue May 6 18:36:00 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4D876106566B for ; Tue, 6 May 2008 18:36:00 +0000 (UTC) (envelope-from peter@boosten.org) Received: from smtpq2.groni1.gr.home.nl (smtpq2.groni1.gr.home.nl [213.51.130.201]) by mx1.freebsd.org (Postfix) with ESMTP id CCD4C8FC0A for ; Tue, 6 May 2008 18:35:59 +0000 (UTC) (envelope-from peter@boosten.org) Received: from [213.51.130.188] (port=43029 helo=smtp3.groni1.gr.home.nl) by smtpq2.groni1.gr.home.nl with esmtp (Exim 4.60) (envelope-from ) id 1JtS2Q-00021v-Mr; Tue, 06 May 2008 20:37:18 +0200 Received: from cp268254-a.landg1.lb.home.nl ([84.25.65.88]:4869 helo=ra.egypt.nl) by smtp3.groni1.gr.home.nl with esmtp (Exim 4.60) (envelope-from ) id 1JtS16-0006Rl-98; Tue, 06 May 2008 20:35:58 +0200 Received: from [127.0.0.1] (xp.egypt.nl [192.168.13.35]) by ra.egypt.nl (Postfix) with ESMTP id 755103987F; Tue, 6 May 2008 20:35:55 +0200 (CEST) Message-ID: <4820A50A.6060503@boosten.org> Date: Tue, 06 May 2008 20:35:54 +0200 From: Peter Boosten User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: Beech Rintoul References: <200805060931.18936.beech@freebsd.org> <20080506173912.GB85015@Grumpy.DynDNS.org> <200805060959.28509.beech@freebsd.org> In-Reply-To: <200805060959.28509.beech@freebsd.org> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Antivirus: avast! (VPS 080505-0, 05/05/2008), Outbound message X-Antivirus-Status: Clean X-Spam-Score: 0.0 (/) Cc: Gilles , David Kelly , freebsd-questions@freebsd.org Subject: Re: [SSHd] Increasing wait time? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2008 18:36:00 -0000 Beech Rintoul wrote: > On Tuesday 06 May 2008, David Kelly said: >> On Tue, May 06, 2008 at 09:31:15AM -0800, Beech Rintoul wrote: >>>> Is there a way to configure SSHd, so that the wait time between >>>> login attempts increases after X failed tries? >>> Not that I know of. You should look into denyhosts (in the ports) >>> it works well and even has a RBL feature to block some of these >>> script kiddies proactively. Unfortunately, these attempts have >>> become a fact of life. I probably get 20 - 30 attempts a day >>> between my various servers. >> Depending on how you use ssh from external systems you could add >> firewall rules to disallow all but known sources. > > I was doing that in the past, but I found it to be inflexable and > sometimes a pain to deal with. I sometimes need to access a server > from a new location and that kind of hard lockdown just isn't > practical. The denyhosts solution works very well for me and the RBH > feature blocks 9 out of 10 attempts outright. > It's quite simple if you're using pf: in your pf.conf: ************ table persist block in quick on $ext_if proto tcp from to any\ port 22 label "ssh bruteforce" pass in on $ext_if inet proto tcp from any to any port ssh flags S/SA \ keep state (max-src-conn 15, max-src-conn-rate 5/40, \ overload flush global) ************ What is does is to check whether more than 15 connections are made from the same IP address, or 5 within 40 seconds. If that happens the offending IP address is put in a dynamic list called blacklist and gets blocked. Works like charm. Another option is sshguard (/usr/ports/security/sshguard) Peter -- http://www.boosten.org