From owner-freebsd-questions@FreeBSD.ORG Wed Sep 17 23:36:06 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A260D1065671 for ; Wed, 17 Sep 2008 23:36:06 +0000 (UTC) (envelope-from m0rchand@comcast.net) Received: from QMTA08.westchester.pa.mail.comcast.net (qmta08.westchester.pa.mail.comcast.net [76.96.62.80]) by mx1.freebsd.org (Postfix) with ESMTP id 3A1828FC14 for ; Wed, 17 Sep 2008 23:36:05 +0000 (UTC) (envelope-from m0rchand@comcast.net) Received: from OMTA03.westchester.pa.mail.comcast.net ([76.96.62.27]) by QMTA08.westchester.pa.mail.comcast.net with comcast id FyyD1a0030bG4ec58zc3rj; Wed, 17 Sep 2008 23:36:03 +0000 Received: from [10.0.1.200] ([76.122.47.225]) by OMTA03.westchester.pa.mail.comcast.net with comcast id Fzc21a00k4rWgJL3Pzc3jf; Wed, 17 Sep 2008 23:36:03 +0000 X-Authority-Analysis: v=1.0 c=1 a=cq7dR5dDzvAA:10 a=BOuI2C-NPVsA:10 a=LYcaMSdMAAAA:8 a=6I5d2MoRAAAA:8 a=4mro7l3gxWjcrCY-QTEA:9 a=LGPi2jJuMHGAVREKUwQA:7 a=dOtncAhN06f0D57jNzaHsLz8Wy4A:4 a=3S9CAzLaMNUA:10 a=mlQ6C7Yp8iEA:10 a=SV7veod9ZcQA:10 a=hpF-ijbX5cwA:10 Message-Id: From: Tom Marchand To: freebsd-questions@freebsd.org In-Reply-To: <14143EECEC1CC52A4BC39AC3@ganymede.hub.org> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v926) Date: Wed, 17 Sep 2008 19:36:02 -0400 References: <14143EECEC1CC52A4BC39AC3@ganymede.hub.org> X-Mailer: Apple Mail (2.926) Subject: Re: Auto blacklist ssh connections ... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2008 23:36:06 -0000 Why don't you have sshd listen on a different port? I was getting 1000's of ssh login attempts until I changed the port sshd was listening on. I've found script kiddies aren't smart enough to check alt ports. On Sep 17, 2008, at 7:15 PM, Marc G. Fournier wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Does anyone know of a utility that I can use with sshd to auto-block > by IP if > there are more then N failed attempts in a row? > > ie: > > # grep "Invalid user" /var/log/auth.log| awk '{print $10}' | sort | > uniq -c | > sort -nr > 5268 140.113.210.174 > > 4863 72.52.225.116 > > 3586 116.14.255.141 > > 2918 193.205.186.67 > > 2033 219.76.75.6 > > 1308 216.14.127.67 > > 1059 61.72.106.71 > > 983 93.123.14.9 > > 691 202.75.221.197 > > 649 59.77.33.139 > > 381 201.80.15.207 > > 269 190.10.255.73 > > 212 81.252.254.189 > > 181 123.151.32.12 > > 150 211.21.47.50 > > 139 196.219.63.3 > > 128 200.111.64.171 > > > > This is for one day ... I'd like to be able to throttle so that > after X Invalid > user attempts, the IP gets blocked ... > > Possible? > > - -- > Marc G. Fournier Hub.Org Hosting Solutions S.A. (http://www.hub.org > ) > Email . scrappy@hub.org MSN . scrappy@hub.org > Yahoo . yscrappy Skype: hub.org ICQ . 7615664 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.9 (FreeBSD) > > iEYEARECAAYFAkjRj6EACgkQ4QvfyHIvDvOsYQCgyaB3MhvHJk9qShRlovwSAXxx > 3oQAn2NQ8zLFVO82Udp+mZaojwbfoKmw > =SuAI > -----END PGP SIGNATURE----- > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org > "