Date: Thu, 18 Sep 2008 09:29:52 +0200 From: peter@bsdly.net (Peter N. M. Hansteen) To: freebsd-questions@freebsd.org Subject: Re: Auto blacklist ssh connections ... Message-ID: <87r67hsyhb.fsf@thingy.bsdly.net> In-Reply-To: <14143EECEC1CC52A4BC39AC3@ganymede.hub.org> (Marc G. Fournier's message of "Wed, 17 Sep 2008 20:15:45 -0300") References: <14143EECEC1CC52A4BC39AC3@ganymede.hub.org>
next in thread | previous in thread | raw e-mail | index | archive | help
"Marc G. Fournier" <scrappy@hub.org> writes: > Does anyone know of a utility that I can use with sshd to auto-block by IP if > there are more then N failed attempts in a row? With PF, you could use state tracking options and overload rules to set limits on the rate of new connections from any one host and/or the rate of new connections, pass quick proto { tcp, udp } from any to any port ssh \ flags S/SA keep state \ (max-src-conn 15, max-src-conn-rate 5/3, \ overload <bruteforce> flush global) supplemented by a rule that handles traffic from the bruteforce table (block quick, assign to tiny queue, whatever). One of the more popular pages in the PF tutorial (<http://home.nuug.no/~peter/pf/en/bruteforce.html>) is about just that, see <http://home.nuug.no/~peter/pf/> for a wider range of formats. There are other packages that will read your auth log and count, but being sort of a PF guy I found the PF-based solution quite attractive and flexible. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87r67hsyhb.fsf>