From owner-freebsd-questions@FreeBSD.ORG  Thu Dec  4 01:43:29 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 974971065672
	for <freebsd-questions@freebsd.org>;
	Thu,  4 Dec 2008 01:43:29 +0000 (UTC)
	(envelope-from jeffrey@goldmark.org)
Received: from out1.smtp.messagingengine.com (out1.smtp.messagingengine.com
	[66.111.4.25]) by mx1.freebsd.org (Postfix) with ESMTP id 6F83B8FC08
	for <freebsd-questions@freebsd.org>;
	Thu,  4 Dec 2008 01:43:29 +0000 (UTC)
	(envelope-from jeffrey@goldmark.org)
Received: from compute2.internal (compute2.internal [10.202.2.42])
	by out1.messagingengine.com (Postfix) with ESMTP id 9C9391CCA75
	for <freebsd-questions@freebsd.org>;
	Wed,  3 Dec 2008 20:43:28 -0500 (EST)
Received: from heartbeat2.messagingengine.com ([10.202.2.161])
	by compute2.internal (MEProxy); Wed, 03 Dec 2008 20:43:28 -0500
X-Sasl-enc: 5OO8JH1yQ+6a3LkHYyQ+ypYhei0+PBNkEoyXRtCsoZlY 1228355008
Received: from hagrid.ewd.goldmark.org (n114.ewd.goldmark.org [72.64.118.114])
	by mail.messagingengine.com (Postfix) with ESMTPSA id 3975B39B1D
	for <freebsd-questions@freebsd.org>;
	Wed,  3 Dec 2008 20:43:28 -0500 (EST)
Message-Id: <D6D13508-3ED2-4DF3-ACF4-F09EB64784E3@goldmark.org>
From: Jeffrey Goldberg <jeffrey@goldmark.org>
To: FreeBSD Questions <freebsd-questions@freebsd.org>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v929.2)
Date: Wed, 3 Dec 2008 19:43:26 -0600
X-Mailer: Apple Mail (2.929.2)
Subject: Firewalls using a DNSbl (and distributed ssh attacks)
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Dec 2008 01:43:29 -0000

It's not a big issue, but I'm wondering if there is a DNSBl that lists  
IPs that are engaging in brute force ssh attacks.  And if there is  
such a list, is there a way to integrate that information into a  
firewall or sshd.

As I've said this really isn't a big issue for me, as the brute force  
attempts at sshd are nothing but an annoyance as I review logs.

The attacks that I'm seeing appear to be coordinated and distributed.   
That is, there will be one attempt on username "fred" from one IP  
immediately followed by an attempt on "freddy" from another IP  
followed by an attempt on "fredrick" from a third source and so on.

Cheers,

-j



-- 
Jeffrey Goldberg                        http://www.goldmark.org/jeff/