blacklisting failed ssh attempts
bc979 at lafn.org
Wed Dec 1 10:08:47 PST 2004
On Dec 1, 2004, at 09:41, Charles Ulrich wrote:
> This morning I noticed that an attacker spent over a full hour trying
> brute-force accounts and passwords via ssh on one of our machines.
> These kinds
> of attacks are becoming more frequent.
> I was wondering: does anyone know of a way to blacklist a certain IP
> just for a certain time period) after a certain number of failed login
> attempts via ssh? I could change the port that sshd listens on, but
> I'd rather
> find a better solution, one that isn't just another layer of obscurity.
I tried null routing their addresses and that stops that address.
However, a day or so later they are back from a different address.
After a couple months of this I changed the ports. Its a real pain.
More information about the freebsd-questions