From owner-freebsd-questions@FreeBSD.ORG Thu Sep 18 13:20:07 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 47C0E1065675 for ; Thu, 18 Sep 2008 13:20:07 +0000 (UTC) (envelope-from eculp@casasponti.net) Received: from ns2.bafirst.com (72-12-2-19.static.networktel.net [72.12.2.19]) by mx1.freebsd.org (Postfix) with ESMTP id DAA398FC2A for ; Thu, 18 Sep 2008 13:20:06 +0000 (UTC) (envelope-from eculp@casasponti.net) Received: from casasponti.net ([201.155.7.3]) by ns2.bafirst.com with esmtp; Thu, 18 Sep 2008 08:20:04 -0500 id 000D5353.48D25585.0000EAD7 Received: from localhost (localhost [127.0.0.1]) (uid 80) by casasponti.net with local; Thu, 18 Sep 2008 08:19:40 -0500 id 00130CB2.48D2556C.00004692 Received: from dsl-189-190-8-164.prod-infinitum.com.mx (dsl-189-190-8-164.prod-infinitum.com.mx [189.190.8.164]) by intranet.casasponti.net (Horde Framework) with HTTP; Thu, 18 Sep 2008 08:19:40 -0500 Message-ID: <20080918081940.151830ffez6sh4mc@intranet.casasponti.net> Date: Thu, 18 Sep 2008 08:19:40 -0500 From: eculp@casasponti.net To: freebsd-questions@freebsd.org References: <14143EECEC1CC52A4BC39AC3@ganymede.hub.org> <20080918102206.GA87327@ozzmosis.com> In-Reply-To: <20080918102206.GA87327@ozzmosis.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Dynamic Internet Messaging Program (DIMP) H3 (2.0-cvs) Subject: Re: Auto blacklist ssh connections ... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2008 13:20:07 -0000 Quoting andrew clarke : > On Wed 2008-09-17 19:36:02 UTC-0400, Tom Marchand =20 > (m0rchand@comcast.net) wrote: > >>> Does anyone know of a utility that I can use with sshd to auto-block >>> by IP if there are more then N failed attempts in a row? > >> Why don't you have sshd listen on a different port? > > I imagine that on some hosts where there are multiple users/customers, > moving sshd to another port isn't a practical solution due to people's > habits in trying to connect to the default port. A human problem > rather than a technical one. > > PS. Top posting is cruel. I`ve been more or less watching this thread and haven't seen the use =20 of the ssh-bruteforce rules from the pf on line howtos being =20 recommended. In my own case pf, in addition to a couple of other =20 changes, has worked well for us. In the other changes mentioned we =20 have also changed the ssh port that doesn't add security but has =20 basically stopped logfiles full of dictionary attempts from what I =20 expect are windows machines that have been violated and are being used =20 to find more. I would highly recommend pf brutforce rules or something similar with =20 other firewalls. ed