Date: Wed, 17 Sep 2008 16:20:46 -0700 From: Chuck Swiger <cswiger@mac.com> To: "Marc G. Fournier" <scrappy@hub.org> Cc: freebsd-questions@freebsd.org Subject: Re: Auto blacklist ssh connections ... Message-ID: <A4DE8062-7916-4F72-8417-83F58E458020@mac.com> In-Reply-To: <14143EECEC1CC52A4BC39AC3@ganymede.hub.org> References: <14143EECEC1CC52A4BC39AC3@ganymede.hub.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sep 17, 2008, at 4:15 PM, Marc G. Fournier wrote: > Does anyone know of a utility that I can use with sshd to auto-block > by IP if > there are more then N failed attempts in a row? Certainly. See: % cat /usr/ports/security/denyhosts/pkg-descr DenyHosts is a script intended to be run by *ix system administrators to help thwart ssh server attacks. If you've ever looked at your ssh log (/var/log/auth.log ) you may be alarmed to see how many hackers attempted to gain access to your server. Denyhosts helps you: - Parses /var/log/auth.log to find all login attempts - Can be run from the command line, cron or as a daemon (new in 0.9) - Records all failed login attempts for the user and offending host - For each host that exceeds a threshold count, records the evil host - Keeps track of each non-existent user (eg. sdada) when a login attempt failed. - Keeps track of each existing user (eg. root) when a login attempt failed. - Keeps track of each offending host (hosts can be purged ) - Keeps track of suspicious logins - Keeps track of the file offset, so that you can reparse the same file - When the log file is rotated, the script will detect it - Appends /etc/hosts.allow - Optionally sends an email of newly banned hosts and suspicious logins. - Resolves IP addresses to hostnames, if you want WWW: http://denyhosts.sourceforge.net/ Works fine. Just be careful to whitelist some known-OK IPs first, as you can end up blocking yourself out if someone is careless logging in as the wrong user or similar.... Regards, -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A4DE8062-7916-4F72-8417-83F58E458020>