From owner-freebsd-questions@FreeBSD.ORG Wed Sep 17 23:21:53 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 81B441065679 for ; Wed, 17 Sep 2008 23:21:53 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from asmtpout020.mac.com (asmtpout020.mac.com [17.148.16.95]) by mx1.freebsd.org (Postfix) with ESMTP id 6D3308FC0C for ; Wed, 17 Sep 2008 23:21:53 +0000 (UTC) (envelope-from cswiger@mac.com) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Received: from cswiger1.apple.com ([17.227.140.124]) by asmtp020.mac.com (Sun Java(tm) System Messaging Server 6.3-7.03 (built Aug 7 2008; 32bit)) with ESMTPSA id <0K7D006WE4UMZS50@asmtp020.mac.com> for freebsd-questions@freebsd.org; Wed, 17 Sep 2008 16:21:52 -0700 (PDT) Message-id: From: Chuck Swiger To: "Marc G. Fournier" In-reply-to: <14143EECEC1CC52A4BC39AC3@ganymede.hub.org> Date: Wed, 17 Sep 2008 16:20:46 -0700 References: <14143EECEC1CC52A4BC39AC3@ganymede.hub.org> X-Mailer: Apple Mail (2.929.2) Cc: freebsd-questions@freebsd.org Subject: Re: Auto blacklist ssh connections ... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2008 23:21:53 -0000 On Sep 17, 2008, at 4:15 PM, Marc G. Fournier wrote: > Does anyone know of a utility that I can use with sshd to auto-block > by IP if > there are more then N failed attempts in a row? Certainly. See: % cat /usr/ports/security/denyhosts/pkg-descr DenyHosts is a script intended to be run by *ix system administrators to help thwart ssh server attacks. If you've ever looked at your ssh log (/var/log/auth.log ) you may be alarmed to see how many hackers attempted to gain access to your server. Denyhosts helps you: - Parses /var/log/auth.log to find all login attempts - Can be run from the command line, cron or as a daemon (new in 0.9) - Records all failed login attempts for the user and offending host - For each host that exceeds a threshold count, records the evil host - Keeps track of each non-existent user (eg. sdada) when a login attempt failed. - Keeps track of each existing user (eg. root) when a login attempt failed. - Keeps track of each offending host (hosts can be purged ) - Keeps track of suspicious logins - Keeps track of the file offset, so that you can reparse the same file - When the log file is rotated, the script will detect it - Appends /etc/hosts.allow - Optionally sends an email of newly banned hosts and suspicious logins. - Resolves IP addresses to hostnames, if you want WWW: http://denyhosts.sourceforge.net/ Works fine. Just be careful to whitelist some known-OK IPs first, as you can end up blocking yourself out if someone is careless logging in as the wrong user or similar.... Regards, -- -Chuck