[SSHd] Increasing wait time?
peter at boosten.org
Tue May 6 18:36:00 UTC 2008
Beech Rintoul wrote:
> On Tuesday 06 May 2008, David Kelly said:
>> On Tue, May 06, 2008 at 09:31:15AM -0800, Beech Rintoul wrote:
>>>> Is there a way to configure SSHd, so that the wait time between
>>>> login attempts increases after X failed tries?
>>> Not that I know of. You should look into denyhosts (in the ports)
>>> it works well and even has a RBL feature to block some of these
>>> script kiddies proactively. Unfortunately, these attempts have
>>> become a fact of life. I probably get 20 - 30 attempts a day
>>> between my various servers.
>> Depending on how you use ssh from external systems you could add
>> firewall rules to disallow all but known sources.
> I was doing that in the past, but I found it to be inflexable and
> sometimes a pain to deal with. I sometimes need to access a server
> from a new location and that kind of hard lockdown just isn't
> practical. The denyhosts solution works very well for me and the RBH
> feature blocks 9 out of 10 attempts outright.
It's quite simple if you're using pf:
in your pf.conf:
table <blacklist> persist
block in quick on $ext_if proto tcp from <blacklist> to any\
port 22 label "ssh bruteforce"
pass in on $ext_if inet proto tcp from any to any port ssh flags S/SA \
keep state (max-src-conn 15, max-src-conn-rate 5/40, \
overload <blacklist> flush global)
What is does is to check whether more than 15 connections are made from
the same IP address, or 5 within 40 seconds. If that happens the
offending IP address is put in a dynamic list called blacklist and gets
Works like charm.
Another option is sshguard (/usr/ports/security/sshguard)
More information about the freebsd-questions