autoblocking many ssh failed logins from the same IP....
Edward
ep_lists at peckham.me.uk
Tue Jul 5 11:03:27 GMT 2005
John Cholewa wrote:
> Jun 30 10:36:05 phantom sshd[70478]: Failed password for news from
> 212.88.182.121 port 51218 ssh2
> Jun 30 10:36:16 phantom sshd[70500]: Failed password for sshd from
> 212.88.182.121 port 51608 ssh2
> Jun 30 10:36:39 phantom sshd[70569]: Failed password for root from
> 212.88.182.121 port 52297 ssh2
>
> I get the above a lot in my logs (except more of it). Each day, a
> couple hundred failed attempts to log in from one or sometimes two IP
> addresses shows up. I don't have anything like ipf running, and since
> this machine is about fifteen hundred miles away from me, I don't want
> to experiment with software firewalling right now.
>
> That known, is there any way to tell sshd (or some more powerful
> daemon) to stop accepting login attempts from a given IP if it tries
> and fails to log in too many times in a limited duration (like in the
> same minute)?
>
> I suppose, now that I'm thinking about it, that it'd be best to
> actually just read the man pages and figure out how to get sshd to
> ignore any attempt to attach from ports other than 22. I mean, why
> are other machines trying to ssh in at ports over fifty thousand anyway?
>
> --
> -JC
> http://www.livejournal.com/users/jcholewa/
>
> PS: Oh, yeah ... "FreeBSD 4.8-RELEASE #0: Thu Apr 3 10:53:38 GMT
> 2003" ; openssh-3.6.1_5 ; openssl-0.9.7d_1
>
>
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
I had this on my FreeBSD 4.10 box as well. sshd can be configured to
only allow logins for specific users.
Edit /etc/sshd_config to add the following
AllowUsers <USER_NAME>
You can have multiple AllowUsers entries if you want more than one user
to be able to ssh in.
This has worked pretty well for me, although I still get an occasional
(once every couple of days) failed login attempt on the one valid user
name I've set up. I guess I could use a less guessable user id.
More information about the freebsd-questions
mailing list