From owner-freebsd-questions@FreeBSD.ORG Tue May 6 18:40:17 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4877D10656B4 for ; Tue, 6 May 2008 18:40:17 +0000 (UTC) (envelope-from bc979@lafn.org) Received: from zoot.lafn.org (zoot.lafn.ORG [206.117.18.6]) by mx1.freebsd.org (Postfix) with ESMTP id 1F19A8FC12 for ; Tue, 6 May 2008 18:40:16 +0000 (UTC) (envelope-from bc979@lafn.org) Received: from [10.0.1.2] (pool-71-109-162-173.lsanca.dsl-w.verizon.net [71.109.162.173]) (authenticated bits=0) by zoot.lafn.org (8.13.6/8.13.4) with ESMTP id m46IeFN4076987 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Tue, 6 May 2008 11:40:16 -0700 (PDT) (envelope-from bc979@lafn.org) Message-Id: From: Doug Hardie To: freebsd-questions In-Reply-To: <48209BFF.6090607@livedatagroup.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v919.2) Date: Tue, 6 May 2008 11:40:14 -0700 References: <200805060931.18936.beech@freebsd.org> <20080506173912.GB85015@Grumpy.DynDNS.org> <48209BFF.6090607@livedatagroup.com> X-Mailer: Apple Mail (2.919.2) X-Virus-Scanned: ClamAV 0.88.7/7040/Mon May 5 18:52:15 2008 on zoot.lafn.org X-Virus-Status: Clean Subject: Re: [SSHd] Increasing wait time? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2008 18:40:17 -0000 On May 6, 2008, at 10:57, Randy Ramsdell wrote: > David Kelly wrote: >> On Tue, May 06, 2008 at 09:31:15AM -0800, Beech Rintoul wrote: >> >>>> Is there a way to configure SSHd, so that the wait time between >>>> login attempts increases after X failed tries? >>>> >>> Not that I know of. You should look into denyhosts (in the ports) it >>> works well and even has a RBL feature to block some of these script >>> kiddies proactively. Unfortunately, these attempts have become a >>> fact >>> of life. I probably get 20 - 30 attempts a day between my various >>> servers. >>> >> >> Depending on how you use ssh from external systems you could add >> firewall rules to disallow all but known sources. >> >> > I used portsentry several years ago which is a realtime portscan > blocker. It would trigger on this type of ssh portscan for sure. One > problem is that it blocks using firewall rules, hosts.deny etc... > and would have to be actively maintained. Meaning: I cleaned these > entries once a week. I am not sure it is ported to BSD either. Another option is to change the port SSH uses to some very unusual port. I do this on all the systems I use and change the port settings in ssh.conf and sshd.conf. This approach works if you don't have lots of users using SSH as it does require some sophistication to work with it. Since I have only 3 people who can use SSH it works great for me.