sshd break-in attempt

Nathan Vidican nvidican at
Tue Jan 2 05:22:59 PST 2007

We keep getting attempts from what look like a username/password scanner 
utility to login to our servers externally via sshd. Thankfully, we're 
not ignorant enough to leave common account names open, however it is 
annoying to say the least. We're getting things like this:

Jan  1 09:07:34 fw sshd[66547]: Invalid user staff from
Jan  1 09:07:35 fw sshd[66549]: Invalid user sales from
Jan  1 09:07:36 fw sshd[66551]: Invalid user recruit from
Jan  1 09:07:37 fw sshd[66553]: Invalid user alias from
Jan  1 09:07:38 fw sshd[66555]: Invalid user office from
Jan  1 09:07:38 fw sshd[66557]: Invalid user samba from
Jan  1 09:07:39 fw sshd[66559]: Invalid user tomcat from
Jan  1 09:07:40 fw sshd[66561]: Invalid user webadmin from
Jan  1 09:07:41 fw sshd[66563]: Invalid user spam from
Jan  1 09:07:42 fw sshd[66565]: Invalid user virus from
Jan  1 09:07:43 fw sshd[66567]: Invalid user cyrus from
Jan  1 09:07:43 fw sshd[66569]: Invalid user staff from
Jan  1 09:07:44 fw sshd[66571]: Invalid user oracle from

In our 'periodic daily' report/email, (only the list goes on for hundreds of attempts). Anyhow, long story short; is there not an easy way to make sshd block or deny hosts temporarily if X number of invalid login attempts are made within a minute's time? Must I use an external wrapper to accomplish this, or can it be done with options to sshd on it's own?

Nathan Vidican
nvidican at
Windsor Match Plate & Tool Ltd.

More information about the freebsd-questions mailing list