Date: Thu, 18 Sep 2008 09:29:52 +0200 From: peter@bsdly.net (Peter N. M. Hansteen) To: freebsd-questions@freebsd.org Subject: Re: Auto blacklist ssh connections ... Message-ID: <87r67hsyhb.fsf@thingy.bsdly.net> In-Reply-To: <14143EECEC1CC52A4BC39AC3@ganymede.hub.org> (Marc G. Fournier's message of "Wed, 17 Sep 2008 20:15:45 -0300") References: <14143EECEC1CC52A4BC39AC3@ganymede.hub.org>
next in thread | previous in thread | raw e-mail | index | archive | help
"Marc G. Fournier" <scrappy@hub.org> writes:
> Does anyone know of a utility that I can use with sshd to auto-block by IP if
> there are more then N failed attempts in a row?
With PF, you could use state tracking options and overload rules to
set limits on the rate of new connections from any one host and/or the
rate of new connections,
pass quick proto { tcp, udp } from any to any port ssh \
flags S/SA keep state \
(max-src-conn 15, max-src-conn-rate 5/3, \
overload <bruteforce> flush global)
supplemented by a rule that handles traffic from the bruteforce table
(block quick, assign to tiny queue, whatever). One of the more popular
pages in the PF tutorial (<http://home.nuug.no/~peter/pf/en/bruteforce.html>)
is about just that, see <http://home.nuug.no/~peter/pf/>; for a wider range
of formats.
There are other packages that will read your auth log and count, but being
sort of a PF guy I found the PF-based solution quite attractive and flexible.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87r67hsyhb.fsf>