Date: Mon, 19 Sep 2011 16:02:55 -0400 From: James Strother <jstrother9109@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: limit number of ssh connections Message-ID: <CAAOvGP3uPgcA2L%2B3%2BaLuAkyy3m72L3fxeDbt67gF1iC2xPMitQ@mail.gmail.com> In-Reply-To: <946851316461449@web97.yandex.ru> References: <CAAOvGP2Gj0=ZAYZn2KZYUa3NTCHVtUdtQqHumM1D5Ea26dzPrQ@mail.gmail.com> <946851316461449@web97.yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
That's an interesting project, I hadn't realized port knocking had become so easy to use. Unfortunately, for this particular server, I need to be able to provide a simple way for (a very limited number of) users to login into the system remotely using a variety of OS platforms. So I don't think port knocking is a good fit here. Thanks, Jim 2011/9/19 çÒÉÇÏÒØÅ× áÌÅËÓÁÎÄÒ <mr.festin@yandex.ru>: > If your target is protect freebsd box from bruting passwords from inet maybe security/knockd will help you? > > 19.09.2011, 23:05, "James Strother" <jstrother9109@gmail.com>: >> Does anyone know a good way of limiting the number of ssh attempts >> from a single IP address? >> >> I found the following website, which describes a variety of approaches: >> >> http://www.freebsdwiki.net/index.php/Block_repeated_illegal_or_failed_SSH_logins >> >> But I am honestly not really happy with any of them. šContinuously >> polling log files for regex hits seems...well crude. šJust to give you >> an idea of what I mean, here were some of the issues I had. The >> sshd-scan.sh script allows IPs to be reinstated, but the timing is >> dependent on how frequently you rotate logs. šsshguard has a pretty >> website, but I can't actually find much useful documentation on how to >> configure it. šfail2ban looks like it might work with sufficient work, >> but the defaults are terrible. šBy default, every time an IP is >> reinstated, all IPs are reinstated. šNot to mention, at present I >> can't seem to get it to trigger any hits. >> >> I suppose I could keep shopping, but the truth is I just think polling >> log files is the wrong way to solve the problem. šAnything based on >> this approach is going to have a long latency and be highly dependent >> on the unspecified and unstable formatting of log files (see >> http://www.fail2ban.org/wiki/index.php/HOWTO_Mac_OS_X_Server_(10.4) >> and the troubles an exclamation point can cause). >> >> I would much much rather do something like this: >> >> http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/ >> >> Does anyone know a way to do something similar with ipfw? >> >> Thanks in advance, >> ššJim >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAAOvGP3uPgcA2L%2B3%2BaLuAkyy3m72L3fxeDbt67gF1iC2xPMitQ>