From owner-freebsd-questions@FreeBSD.ORG  Wed Apr 12 01:35:20 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D3D0A16A400
	for <freebsd-questions@freebsd.org>;
	Wed, 12 Apr 2006 01:35:20 +0000 (UTC)
	(envelope-from daemon@taconic.net)
Received: from relay-server2.fairpoint.com (outgoing.taconic.net
	[205.231.144.130])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2AF4E43D5F
	for <freebsd-questions@freebsd.org>;
	Wed, 12 Apr 2006 01:35:13 +0000 (GMT)
	(envelope-from daemon@taconic.net)
Received: from [192.168.1.72] (dsl-216-227-80-158.taconic.net [216.227.80.158])
	by relay-server2.fairpoint.com (Spam Firewall) with ESMTP
	id E8705F810C; Tue, 11 Apr 2006 21:35:10 -0400 (EDT)
In-Reply-To: <441C45BA.1030106@chrismaness.com>
References: <441C45BA.1030106@chrismaness.com>
Mime-Version: 1.0 (Apple Message framework v749.3)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <894280FF-CB83-4EEA-9CAD-422A34068354@taconic.net>
Content-Transfer-Encoding: 7bit
From: Jonathan Franks <daemon@taconic.net>
Date: Tue, 11 Apr 2006 21:35:08 -0400
To: Chris Maness <chris@chrismaness.com>
X-Mailer: Apple Mail (2.749.3)
X-Virus-Scanned: by Relay SMTP Firewall2 at fairpoint.com
Cc: freebsd-questions@freebsd.org
Subject: Re: How to Stop Bruit Force ssh Attempts?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Apr 2006 01:35:20 -0000


On Mar 18, 2006, at 12:39 PM, Chris Maness wrote:

> In my auth log I see alot of bruit force attempts to login via  
> ssh.  Is there a way I can have the box automatically kill any tcp/ 
> ip connectivity to hosts that try and fail a given number of  
> times?  Is there a port or something that I can install to give  
> this kind of protection.  I'm still kind of a FreeBSD newbie.

If you are using PF, you can use source tracking to drop the  
offenders in to a table... perhaps after a certain number of attempts  
in a given time (say, 5 in a minute). Once you have the table you're  
in business... you can block based on it... and then set up a cron  
job to copy the table to disk every so often (perhaps once every two  
minutes). It works very well for me, YMMV.

If you don't want to block permanently, you could use cron to flush  
the table every so often too... I don't bother though.

-Jonathan