limiting ssh login attempts by ip

Lowell Gilbert freebsd-questions-local at
Wed Dec 1 06:28:41 PST 2004

csnyder <chsnyder at> writes:

> I've noticed a marked increase in dictionary attacks against sshd
> lately -- tens or even hundreds of connection attempts from the same
> IP address within a short timespan.

That's not enough attempts to qualify as a dictionary attack.  Based
on what I've seen on my own machine, it seems to be trying "default"
passwords from some particular Linux distribution.  I keep an eye on
them, and make sure that the targeted accounts don't have valid
passwords at all, but mostly I ignore them.

> I wrote a script that creates firewall rules to drop packets from IPs
> with more than n login failures over the last 10 minutes, but it's a
> half-measure -- in the minute it takes for cron to get to it, an
> attacking script can try a lot of different passwords, even with
> MaxStartups set low.

And on the other hand, you're opening up the possibility of an attack
where somebody deliberately makes your system inaccessible from some
other system which they can either access or spoof.

> How do you protect your servers from this kind of attack? Especially
> on where you can't enforce a strict password policy or make everyone
> use keys?

I don't worry about it too much.  Most of the attempts are against
system accounts which can't log in from the network on my machine
anyway.  If my legitimate user accounts were getting hit that way, 
I would do more about it, but these are clearly not focused attacks 
on my machine.

Be well.
Lowell Gilbert, embedded/networking software engineer, Boston area

More information about the freebsd-questions mailing list