From owner-freebsd-questions@FreeBSD.ORG Thu Apr 13 01:31:41 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 36EA716A401 for ; Thu, 13 Apr 2006 01:31:41 +0000 (UTC) (envelope-from ean@istop.com) Received: from mailout2.igs.net (mailout2.igs.net [216.58.97.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id E2D7A43D60 for ; Thu, 13 Apr 2006 01:31:39 +0000 (GMT) (envelope-from ean@istop.com) Received: from [192.168.89.13] (hedron.org [66.11.182.60]) by mailout2.igs.net (Postfix) with ESMTP id 5335747E9AB for ; Wed, 12 Apr 2006 21:31:39 -0400 (EDT) From: Ean Kingston To: freebsd-questions@freebsd.org Date: Wed, 12 Apr 2006 21:32:02 -0400 User-Agent: KMail/1.9.1 References: <441C45BA.1030106@chrismaness.com> <894280FF-CB83-4EEA-9CAD-422A34068354@taconic.net> In-Reply-To: <894280FF-CB83-4EEA-9CAD-422A34068354@taconic.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200604122132.02742.ean@istop.com> Subject: Re: How to Stop Bruit Force ssh Attempts? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Apr 2006 01:31:41 -0000 On Tuesday 11 April 2006 21:35, Jonathan Franks wrote: > On Mar 18, 2006, at 12:39 PM, Chris Maness wrote: > > In my auth log I see alot of bruit force attempts to login via > > ssh. Is there a way I can have the box automatically kill any tcp/ > > ip connectivity to hosts that try and fail a given number of > > times? Is there a port or something that I can install to give > > this kind of protection. I'm still kind of a FreeBSD newbie. I setup SSH to use public key authentication only. That way they can hammer away at my ssh server till the cows come home and they will never get in with a password. I also use tcpwrappers (built into ssh daemon) for the particularly obnoxious ones. > If you are using PF, you can use source tracking to drop the > offenders in to a table... perhaps after a certain number of attempts > in a given time (say, 5 in a minute). Once you have the table you're > in business... you can block based on it... and then set up a cron > job to copy the table to disk every so often (perhaps once every two > minutes). It works very well for me, YMMV. > > If you don't want to block permanently, you could use cron to flush > the table every so often too... I don't bother though. > > -Jonathan -- Ean Kingston, BSc, CISSP, ARO Computer Security and Privacy Consulting PGP KeyID: CBC5D6BB