From owner-freebsd-questions@FreeBSD.ORG  Thu Sep 18 07:29:55 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2C33B1065676
	for <freebsd-questions@freebsd.org>;
	Thu, 18 Sep 2008 07:29:55 +0000 (UTC) (envelope-from peter@bsdly.net)
Received: from skapet.bsdly.net (cl-426.sto-01.se.sixxs.net
	[IPv6:2001:16d8:ff00:1a9::2])
	by mx1.freebsd.org (Postfix) with ESMTP id D86DA8FC19
	for <freebsd-questions@freebsd.org>;
	Thu, 18 Sep 2008 07:29:54 +0000 (UTC) (envelope-from peter@bsdly.net)
Received: from thingy.bsdly.net
	([10.168.103.11] helo=thingy.bsdly.net.bsdly.net ident=peter)
	by skapet.bsdly.net with esmtp (Exim 4.69)
	(envelope-from <peter@bsdly.net>) id 1KgDxZ-0000TQ-Ec
	for freebsd-questions@freebsd.org; Thu, 18 Sep 2008 09:29:53 +0200
To: freebsd-questions@freebsd.org
References: <14143EECEC1CC52A4BC39AC3@ganymede.hub.org>
From: peter@bsdly.net (Peter N. M. Hansteen)
Date: Thu, 18 Sep 2008 09:29:52 +0200
In-Reply-To: <14143EECEC1CC52A4BC39AC3@ganymede.hub.org> (Marc G. Fournier's
	message of "Wed, 17 Sep 2008 20:15:45 -0300")
Message-ID: <87r67hsyhb.fsf@thingy.bsdly.net>
User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Subject: Re: Auto blacklist ssh connections ...
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Sep 2008 07:29:55 -0000

"Marc G. Fournier" <scrappy@hub.org> writes:

> Does anyone know of a utility that I can use with sshd to auto-block by IP if
> there are more then N failed attempts in a row?

With PF, you could use state tracking options and overload rules to
set limits on the rate of new connections from any one host and/or the
rate of new connections,

pass quick proto { tcp, udp } from any to any port ssh \
        flags S/SA keep state \
        (max-src-conn 15, max-src-conn-rate 5/3, \
        overload <bruteforce> flush global)

supplemented by a rule that handles traffic from the bruteforce table
(block quick, assign to tiny queue, whatever).  One of the more popular
pages in the PF tutorial (<http://home.nuug.no/~peter/pf/en/bruteforce.html>) 
is about just that, see <http://home.nuug.no/~peter/pf/> for a wider range
of formats.

There are other packages that will read your auth log and count, but being
sort of a PF guy I found the PF-based solution quite attractive and flexible.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.