From owner-freebsd-questions@FreeBSD.ORG  Tue Nov 14 09:21:03 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6B1B316A416
	for <freebsd-questions@freebsd.org>;
	Tue, 14 Nov 2006 09:21:03 +0000 (UTC) (envelope-from ewhac@best.com)
Received: from ewhac.best.vwh.net (ewhac.best.vwh.net [192.220.66.121])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0965943D8A
	for <freebsd-questions@freebsd.org>;
	Tue, 14 Nov 2006 09:20:48 +0000 (GMT) (envelope-from ewhac@best.com)
Received: (qmail 793 invoked by uid 17017); 14 Nov 2006 09:20:47 -0000
Received: from unknown (HELO walkies.ewhac.org) ([127.0.0.1])
	(envelope-sender <ewhac@best.com>)
	by 127.0.0.1 (qmail-ldap-1.03) with SMTP
	for <freebsd-questions@freebsd.org>; 14 Nov 2006 09:20:47 -0000
Received: from ewhac by walkies.ewhac.org with local (Exim 3.36 #1 (Debian))
	id 1GjuTF-0000sG-00
	for <freebsd-questions@freebsd.org>; Tue, 14 Nov 2006 01:20:45 -0800
Date: Tue, 14 Nov 2006 01:20:45 -0800
To: freebsd-questions@freebsd.org
Message-ID: <20061114092045.GB3207@best.com>
References: <20061113060528.GA7646@best.com> <4558D2A3.50904@locolomo.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4558D2A3.50904@locolomo.org>
User-Agent: Mutt/1.5.13 (2006-08-11)
From: "Leo L. Schwab" <ewhac@best.com>
Subject: Re: Blocking SSH Brute-Force Attacks: What Am I Doing Wrong?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Nov 2006 09:21:03 -0000

On Mon, Nov 13, 2006 at 09:16:35PM +0100, Erik Norgaard wrote:
> Honestly, I wouldn't worry about it: review your config and make some 
> simple choices to reduce the noise, see this article:
> 
>   http://www.securityfocus.com/infocus/1876
>
	But I rather thought that was the point of 'bruteblock' -- it
reduces the noise by blackholing the offending IPs for an hour or so.  This
blackholing doesn't appear to be happening, and I don't understand why.

	Could it be a permission problem -- syslog doesn't have permission
to change the firewall rules?

					Schwab