From owner-freebsd-questions@FreeBSD.ORG Tue Nov 27 23:25:49 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AF1C2997 for ; Tue, 27 Nov 2012 23:25:49 +0000 (UTC) (envelope-from josh@hewbert.com) Received: from mail-ob0-f182.google.com (mail-ob0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 5FA2F8FC12 for ; Tue, 27 Nov 2012 23:25:48 +0000 (UTC) Received: by mail-ob0-f182.google.com with SMTP id 16so14829594obc.13 for ; Tue, 27 Nov 2012 15:25:48 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=BipQqLPmrWmTXmLuE6wBh5SIO6eEOuXocAl26IzjVMQ=; b=IamSoUygU6x0ogz7p4WboANCYbE4vAkSBj9SawRLhk1QQ4yKQK/YfOJqXIJ1vPIi39 tA9Fcxj9sc9B8P+BgpzvvpYpUuO7KnnAfFPX/yLNFqSR1dSgU/Z0GPFWk+S5xTlZckOd LVlR8dsvllj1m4UGd+WJnEJLEl7v5gYiL2+y6ETzDkWln4wS9tPog5O2nxFpRDAQgKKA t3xJhr/QiWr/bFlsI8Aua+wjLTehNXhJlCrSpRX9u1FNeRnarKf4b+3JZ2OeLmj7wodg VqvkvhnNyizyrX4UMzzd+c4nlUrO6HVjZUI273Y+cXu6qxjkblbD9f8H64JlAYCLjQHl GOIw== Received: by 10.60.4.161 with SMTP id l1mr14287133oel.141.1354058748288; Tue, 27 Nov 2012 15:25:48 -0800 (PST) Received: from mail-oa0-f54.google.com (mail-oa0-f54.google.com [209.85.219.54]) by mx.google.com with ESMTPS id e2sm5603393oeg.13.2012.11.27.15.25.46 (version=SSLv3 cipher=OTHER); Tue, 27 Nov 2012 15:25:47 -0800 (PST) Received: by mail-oa0-f54.google.com with SMTP id n9so16705859oag.13 for ; Tue, 27 Nov 2012 15:25:45 -0800 (PST) MIME-Version: 1.0 Received: by 10.60.169.171 with SMTP id af11mr10128634oec.92.1354058745777; Tue, 27 Nov 2012 15:25:45 -0800 (PST) Received: by 10.60.14.194 with HTTP; Tue, 27 Nov 2012 15:25:45 -0800 (PST) In-Reply-To: References: Date: Tue, 27 Nov 2012 16:25:45 -0700 Message-ID: Subject: Re: denyhosts, fail2ban, or something else? From: Josh Beard To: Aleksandr Miroslav X-Gm-Message-State: ALoCoQlVUVeYK+MjszX5eWREYa5p5jo/bWSx83rS+q2zTzY1EwCapMWuFsb1Ni10yJe/uV5fYGCi Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Nov 2012 23:25:49 -0000 On Tue, Nov 27, 2012 at 3:25 PM, Aleksandr Miroslav wrote: > Finally got sick of seeing tons of ssh break-in attempts in my logs. Am > considering using denyhosts, or fail2ban. Anyone have any experience > with these? > > I'm already using the AllowUsers facility of ssh to only allow specific > users in, so I'm not overly concerned about the attempts. > > This is for a FreeBSD 8.x box running pf, btw. > > Thanks > I've been using fail2ban (security/py-fail2ban) for a few years on my FreeBSD and Linux systems and can't complain. I like that I can easily write a regex for any arbitrary log file and perform any action I want. By default, the port will install both ipfw and pf "actions." I can't give an honest opinion about DenyHosts or SSHGuard, having never used them. Fail2Ban, however, isn't specific to a service or action - simply a regex matches a log file and performs an action. Josh