autoblocking many ssh failed logins from the same IP....

Edward ep_lists at peckham.me.uk
Tue Jul 5 11:03:27 GMT 2005


John Cholewa wrote:

> Jun 30 10:36:05 phantom sshd[70478]: Failed password for news from 
> 212.88.182.121 port 51218 ssh2
> Jun 30 10:36:16 phantom sshd[70500]: Failed password for sshd from 
> 212.88.182.121 port 51608 ssh2
> Jun 30 10:36:39 phantom sshd[70569]: Failed password for root from 
> 212.88.182.121 port 52297 ssh2
>
> I get the above a lot in my logs (except more of it).  Each day, a 
> couple hundred failed attempts to log in from one or sometimes two IP 
> addresses shows up.  I don't have anything like ipf running, and since 
> this machine is about fifteen hundred miles away from me, I don't want 
> to experiment with software firewalling right now.
>
> That known, is there any way to tell sshd (or some more powerful 
> daemon) to stop accepting login attempts from a given IP if it tries 
> and fails to log in too many times in a limited duration (like in the 
> same minute)?
>
> I suppose, now that I'm thinking about it, that it'd be best to 
> actually just read the man pages and figure out how to get sshd to 
> ignore any attempt to attach from ports other than 22.  I mean, why 
> are other machines trying to ssh in at ports over fifty thousand anyway?
>
> -- 
>  -JC
>  http://www.livejournal.com/users/jcholewa/
>
> PS:  Oh, yeah ... "FreeBSD 4.8-RELEASE #0: Thu Apr  3 10:53:38 GMT 
> 2003" ; openssh-3.6.1_5 ; openssl-0.9.7d_1
>
>
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe at freebsd.org"

I had this on my FreeBSD 4.10 box as well.  sshd can be configured to 
only allow logins for specific users.
Edit /etc/sshd_config to add the following
AllowUsers <USER_NAME>
You can have multiple AllowUsers entries if you want more than one user 
to be able to ssh in.
This has worked pretty well for me, although I still get an occasional 
(once every couple of days) failed login attempt on the one valid user 
name I've set up.  I guess I could use a less guessable user id.




More information about the freebsd-questions mailing list