From owner-freebsd-questions@FreeBSD.ORG Tue May 6 21:24:33 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 741E9106567C for ; Tue, 6 May 2008 21:24:33 +0000 (UTC) (envelope-from rramsdell@livedatagroup.com) Received: from mail1.livedatagroup.com (mail1.livedatagroup.com [216.154.205.166]) by mx1.freebsd.org (Postfix) with ESMTP id 2FC4D8FC1D for ; Tue, 6 May 2008 21:24:33 +0000 (UTC) (envelope-from rramsdell@livedatagroup.com) Received: from localhost (localhost [127.0.0.1]) by mail1.livedatagroup.com (Postfix) with ESMTP id 9D61310651D for ; Tue, 6 May 2008 17:24:32 -0400 (EDT) Received: from mail1.livedatagroup.com ([192.168.3.224]) by localhost (mail1.livedatagroup.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 15530-07 for ; Tue, 6 May 2008 17:24:31 -0400 (EDT) Received: from [192.168.2.132] (gw.livedatagroup.com [205.242.255.66]) by mail1.livedatagroup.com (Postfix) with ESMTP id B8BD610648C for ; Tue, 6 May 2008 17:24:31 -0400 (EDT) Message-ID: <4820CC8F.7010507@livedatagroup.com> Date: Tue, 06 May 2008 17:24:31 -0400 From: Randy Ramsdell User-Agent: Thunderbird 2.0.0.14 (X11/20080421) MIME-Version: 1.0 CC: freebsd-questions References: <200805060931.18936.beech@freebsd.org> <20080506173912.GB85015@Grumpy.DynDNS.org> <48209BFF.6090607@livedatagroup.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at livedatagroup.com Subject: Re: [SSHd] Increasing wait time? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2008 21:24:33 -0000 Doug Hardie wrote: > > On May 6, 2008, at 10:57, Randy Ramsdell wrote: > >> David Kelly wrote: >>> On Tue, May 06, 2008 at 09:31:15AM -0800, Beech Rintoul wrote: >>> >>>>> Is there a way to configure SSHd, so that the wait time between >>>>> login attempts increases after X failed tries? >>>>> >>>> Not that I know of. You should look into denyhosts (in the ports) it >>>> works well and even has a RBL feature to block some of these script >>>> kiddies proactively. Unfortunately, these attempts have become a fact >>>> of life. I probably get 20 - 30 attempts a day between my various >>>> servers. >>>> >>> >>> Depending on how you use ssh from external systems you could add >>> firewall rules to disallow all but known sources. >>> >>> >> I used portsentry several years ago which is a realtime portscan >> blocker. It would trigger on this type of ssh portscan for sure. One >> problem is that it blocks using firewall rules, hosts.deny etc... >> and would have to be actively maintained. Meaning: I cleaned these >> entries once a week. I am not sure it is ported to BSD either. > > Another option is to change the port SSH uses to some very unusual > port. I do this on all the systems I use and change the port settings > in ssh.conf and sshd.conf. This approach works if you don't have lots > of users using SSH as it does require some sophistication to work with > it. Since I have only 3 people who can use SSH it works great for me. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" Yeah this also works well. I just shy away from security through obscurity. However, I also moved ssh to port 40001 or so and monitored SYN packets. I never logged an attempt to log in accept auth'd users. It was never port scanned for ssh specific either.