From owner-freebsd-questions@FreeBSD.ORG Mon Jan 11 17:40:30 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 28701106566C for ; Mon, 11 Jan 2010 17:40:30 +0000 (UTC) (envelope-from benschumacher@gmail.com) Received: from mail-px0-f182.google.com (mail-px0-f182.google.com [209.85.216.182]) by mx1.freebsd.org (Postfix) with ESMTP id F12048FC1F for ; Mon, 11 Jan 2010 17:40:29 +0000 (UTC) Received: by pxi12 with SMTP id 12so14658981pxi.3 for ; Mon, 11 Jan 2010 09:40:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type; bh=SHCNsxchfAe3VFDp7/A2dnd1xrYY+hWcVYfYlrf1Sww=; b=sYfM8M6LeR3qZnkXGkUp6sDkQtTIprz2YHcwj4uQJONIp9AGedda/Xs67MOzZrqZFD k6KBs7D0pz0Kziw0rBENv+ReNJ/rlW9eFC6kGtKVJZooEHBRyLZCqha20XQi0NY2YA3Z e0wMZabpWPzpFbyNUEAJUv+hCnuINujJABeyM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=X5pbjyMXB+i+UxfL/lMK36J7pXSU0tX/LbnwGcnmD5sCd5wWWSLwV1GVXtgGDER4HH B9CSykFtaRDsJzRPH9tVO07BGmURkA2hE9Bf1YJwrhyvTq+rEuCYp4Mk8kOCQAO4uTNB zYv7+1uxtrPCKnb+79AmaQuVRcQZByOa2ceLU= MIME-Version: 1.0 Sender: benschumacher@gmail.com Received: by 10.143.153.38 with SMTP id f38mr20478933wfo.27.1263231624186; Mon, 11 Jan 2010 09:40:24 -0800 (PST) In-Reply-To: <20100111140105.GI61025@mech-cluster241.men.bris.ac.uk> References: <20100111140105.GI61025@mech-cluster241.men.bris.ac.uk> Date: Mon, 11 Jan 2010 10:40:24 -0700 X-Google-Sender-Auth: b895a2266b9e1655 Message-ID: <9859143f1001110940p3cce3a94vd5322723cbacefcc@mail.gmail.com> From: Ben Schumacher To: Anton Shterenlikht Content-Type: text/plain; charset=UTF-8 Cc: freebsd-questions@freebsd.org Subject: Re: denying spam hosts ssh access - good idea? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jan 2010 17:40:30 -0000 On Mon, Jan 11, 2010 at 7:01 AM, Anton Shterenlikht wrote: > I'm thinking of denying ssh access to host from which > I get brute force ssh attacks. > > HOwever, I see in /etc/hosts.allow: > > # Wrapping sshd(8) is not normally a good idea, but if you > # need to do it, here's how > #sshd : .evil.cracker.example.com : deny > > Why is it not a good idea? > > Also, apparently in older ssh there was DenyHosts option, > but no longer in the current version. > Is there a replacement for DenyHOsts? > Or is there a good reason for such option not to be used? Anton- In the general theme of this thread -- not answering your question, but providing an alternate solution -- sshguard from ports work fantastically for me. It interfaces with both ipfw and pf firewalls (I use it with pf) and has builtin timeout. I use syslog on several machine behind my firewall to forward SSH authentication failures to my FreeBSD firewall that uses PF and it quickly identifies and blocks bruteforce attacks. From my syslog.conf: !sshd auth.info @wall The handy thing here is that it has builtin timeout rules so if you do something silly and block yourself out temporarily, it'll eventually straighten itself out. Cheers, Ben