Date: Tue, 06 May 2008 20:35:54 +0200 From: Peter Boosten <peter@boosten.org> To: Beech Rintoul <beech@freebsd.org> Cc: Gilles <gilles.ganault@free.fr>, David Kelly <dkelly@hiwaay.net>, freebsd-questions@freebsd.org Subject: Re: [SSHd] Increasing wait time? Message-ID: <4820A50A.6060503@boosten.org> In-Reply-To: <200805060959.28509.beech@freebsd.org> References: <q7412457qoumm8v8dbth10fug2ctbrlfp0@4ax.com> <200805060931.18936.beech@freebsd.org> <20080506173912.GB85015@Grumpy.DynDNS.org> <200805060959.28509.beech@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Beech Rintoul wrote: > On Tuesday 06 May 2008, David Kelly said: >> On Tue, May 06, 2008 at 09:31:15AM -0800, Beech Rintoul wrote: >>>> Is there a way to configure SSHd, so that the wait time between >>>> login attempts increases after X failed tries? >>> Not that I know of. You should look into denyhosts (in the ports) >>> it works well and even has a RBL feature to block some of these >>> script kiddies proactively. Unfortunately, these attempts have >>> become a fact of life. I probably get 20 - 30 attempts a day >>> between my various servers. >> Depending on how you use ssh from external systems you could add >> firewall rules to disallow all but known sources. > > I was doing that in the past, but I found it to be inflexable and > sometimes a pain to deal with. I sometimes need to access a server > from a new location and that kind of hard lockdown just isn't > practical. The denyhosts solution works very well for me and the RBH > feature blocks 9 out of 10 attempts outright. > It's quite simple if you're using pf: in your pf.conf: ************ table <blacklist> persist block in quick on $ext_if proto tcp from <blacklist> to any\ port 22 label "ssh bruteforce" pass in on $ext_if inet proto tcp from any to any port ssh flags S/SA \ keep state (max-src-conn 15, max-src-conn-rate 5/40, \ overload <blacklist> flush global) ************ What is does is to check whether more than 15 connections are made from the same IP address, or 5 within 40 seconds. If that happens the offending IP address is put in a dynamic list called blacklist and gets blocked. Works like charm. Another option is sshguard (/usr/ports/security/sshguard) Peter -- http://www.boosten.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4820A50A.6060503>