From owner-freebsd-isp@FreeBSD.ORG  Thu Jul 21 00:51:54 2005
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
X-Original-To: freebsd-isp@freebsd.org
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A412A16A427
	for <freebsd-isp@freebsd.org>; Thu, 21 Jul 2005 00:51:54 +0000 (GMT)
	(envelope-from andrew@scoop.co.nz)
Received: from a2.scoop.co.nz (aurora.scoop.co.nz [202.50.109.205])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8C85043D45
	for <freebsd-isp@freebsd.org>; Thu, 21 Jul 2005 00:51:50 +0000 (GMT)
	(envelope-from andrew@scoop.co.nz)
Received: from a2.scoop.co.nz (localhost [127.0.0.1])
	by a2.scoop.co.nz (8.13.3/8.12.11) with ESMTP id j6L0plQr067504;
	Thu, 21 Jul 2005 12:51:47 +1200 (NZST)
	(envelope-from andrew@scoop.co.nz)
Received: from localhost (andrew@localhost)
	by a2.scoop.co.nz (8.13.3/8.13.1/Submit) with ESMTP id j6L0plxi067501; 
	Thu, 21 Jul 2005 12:51:47 +1200 (NZST)
	(envelope-from andrew@scoop.co.nz)
X-Authentication-Warning: a2.scoop.co.nz: andrew owned process doing -bs
Date: Thu, 21 Jul 2005 12:51:47 +1200 (NZST)
From: Andrew McNaughton <andrew@scoop.co.nz>
To: Chris Buechler <cbuechler@gmail.com>
In-Reply-To: <d64aa176050720174322ebc621@mail.gmail.com>
Message-ID: <20050721124837.M5699@a2.scoop.co.nz>
References: <f72a639a050719121244719e22@mail.gmail.com>
	<42DEAE1F.8000702@novusordo.net>
	<d64aa176050720174322ebc621@mail.gmail.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.6
	(a2.scoop.co.nz [127.0.0.1]);
	Thu, 21 Jul 2005 12:51:47 +1200 (NZST)
X-Virus-Scanned: ClamAV version 0.86.1,
	clamav-milter version 0.86 on a2.scoop.co.nz
X-Virus-Status: Clean
Cc: freebsd-isp@freebsd.org, Chris Jones <cdjones@novusordo.net>,
	Todor Dragnev <todor.dragnev@gmail.com>
Subject: Re: ssh brute force
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jul 2005 00:51:54 -0000

On Wed, 20 Jul 2005, Chris Buechler wrote:

> On 7/20/05, Chris Jones <cdjones@novusordo.net> wrote:
>>
>> I'm looking at having a script look at SSH's log output for repeated
>> failed connection attempts from the same address, and then blocking that
>> address through pf (I'm not yet sure whether I want to do it temporarily
>> or permanently).

Make it temporary.  Maybe three hours after 3 successive failures.  just 
slowing down connections is enough to make brute force impractical.

Andrew


-------------------------------------------------------------------
Andrew McNaughton           http://www.scoop.co.nz/
andrew@scoop.co.nz          Mobile: +61 422 753 792

--
Of all forms of caution, caution in love is the most fatal
--
pgp encrypted mail welcome
keyid: 70F6C32D      keyserver: pgp.mit.edu
5688 2396 AA81 036A EBAC 2DD4 1BEA 7975 A84F 6686