Date: Tue, 06 May 2008 17:24:31 -0400 From: Randy Ramsdell <rramsdell@livedatagroup.com> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: [SSHd] Increasing wait time? Message-ID: <4820CC8F.7010507@livedatagroup.com> In-Reply-To: <EA6F2FDA-706D-4A9F-A582-551642822693@lafn.org> References: <q7412457qoumm8v8dbth10fug2ctbrlfp0@4ax.com> <200805060931.18936.beech@freebsd.org> <20080506173912.GB85015@Grumpy.DynDNS.org> <48209BFF.6090607@livedatagroup.com> <EA6F2FDA-706D-4A9F-A582-551642822693@lafn.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Doug Hardie wrote: > > On May 6, 2008, at 10:57, Randy Ramsdell wrote: > >> David Kelly wrote: >>> On Tue, May 06, 2008 at 09:31:15AM -0800, Beech Rintoul wrote: >>> >>>>> Is there a way to configure SSHd, so that the wait time between >>>>> login attempts increases after X failed tries? >>>>> >>>> Not that I know of. You should look into denyhosts (in the ports) it >>>> works well and even has a RBL feature to block some of these script >>>> kiddies proactively. Unfortunately, these attempts have become a fact >>>> of life. I probably get 20 - 30 attempts a day between my various >>>> servers. >>>> >>> >>> Depending on how you use ssh from external systems you could add >>> firewall rules to disallow all but known sources. >>> >>> >> I used portsentry several years ago which is a realtime portscan >> blocker. It would trigger on this type of ssh portscan for sure. One >> problem is that it blocks using firewall rules, hosts.deny etc... >> and would have to be actively maintained. Meaning: I cleaned these >> entries once a week. I am not sure it is ported to BSD either. > > Another option is to change the port SSH uses to some very unusual > port. I do this on all the systems I use and change the port settings > in ssh.conf and sshd.conf. This approach works if you don't have lots > of users using SSH as it does require some sophistication to work with > it. Since I have only 3 people who can use SSH it works great for me. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" Yeah this also works well. I just shy away from security through obscurity. However, I also moved ssh to port 40001 or so and monitored SYN packets. I never logged an attempt to log in accept auth'd users. It was never port scanned for ssh specific either.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4820CC8F.7010507>