From owner-freebsd-isp@FreeBSD.ORG  Thu Jul 21 00:43:51 2005
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
X-Original-To: freebsd-isp@freebsd.org
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 59CBA16A43E
	for <freebsd-isp@freebsd.org>; Thu, 21 Jul 2005 00:43:51 +0000 (GMT)
	(envelope-from cbuechler@gmail.com)
Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.197])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8197D43D53
	for <freebsd-isp@freebsd.org>; Thu, 21 Jul 2005 00:43:43 +0000 (GMT)
	(envelope-from cbuechler@gmail.com)
Received: by wproxy.gmail.com with SMTP id 67so20094wri
	for <freebsd-isp@freebsd.org>; Wed, 20 Jul 2005 17:43:43 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=Ls5Fv1ODE//vYxEQvbFRqaNCi0ScUnfxGpJybNFvzS7J4G88vx4i/0TpA73lmNxsJ76y0RGMhmEByHHtPI8IF3r3Tf0O4C7kuuK+CEgsidowDaNIjXqaFUzyyZ9jhseCtiRrcrfqOb5GnSRHvETYJWDkfNUotagamzaO2Mdg1MA=
Received: by 10.54.43.63 with SMTP id q63mr316717wrq;
	Wed, 20 Jul 2005 17:43:08 -0700 (PDT)
Received: by 10.54.80.17 with HTTP; Wed, 20 Jul 2005 17:43:08 -0700 (PDT)
Message-ID: <d64aa176050720174322ebc621@mail.gmail.com>
Date: Wed, 20 Jul 2005 20:43:08 -0400
From: Chris Buechler <cbuechler@gmail.com>
To: Chris Jones <cdjones@novusordo.net>
In-Reply-To: <42DEAE1F.8000702@novusordo.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
References: <f72a639a050719121244719e22@mail.gmail.com>
	<42DEAE1F.8000702@novusordo.net>
Cc: freebsd-isp@freebsd.org, Todor Dragnev <todor.dragnev@gmail.com>
Subject: Re: ssh brute force
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Chris Buechler <cbuechler@gmail.com>
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jul 2005 00:43:51 -0000

On 7/20/05, Chris Jones <cdjones@novusordo.net> wrote:
>=20
> I'm looking at having a script look at SSH's log output for repeated
> failed connection attempts from the same address, and then blocking that
> address through pf (I'm not yet sure whether I want to do it temporarily
> or permanently).


Matt Dillon wrote an app in C to do just that, with ipfw. =20
http://leaf.dragonflybsd.org/mailarchive/users/2005-03/msg00008.html

Scott Ullrich modified it to work with pf. =20
http://pfsense.org/cgi-bin/cvsweb.cgi/tools/sshlockout_pf.c

-Chris