[SSHd] Increasing wait time?

[Peter Boosten]

Beech Rintoul wrote:
> On Tuesday 06 May 2008, David Kelly said:
>> On Tue, May 06, 2008 at 09:31:15AM -0800, Beech Rintoul wrote:
>>>> Is there a way to configure SSHd, so that the wait time between
>>>> login attempts increases after X failed tries?
>>> Not that I know of. You should look into denyhosts (in the ports)
>>> it works well and even has a RBL feature to block some of these
>>> script kiddies proactively. Unfortunately, these attempts have
>>> become a fact of life. I probably get 20 - 30 attempts a day
>>> between my various servers.
>> Depending on how you use ssh from external systems you could add
>> firewall rules to disallow all but known sources.
> 
> I was doing that in the past, but I found it to be inflexable and 
> sometimes a pain to deal with. I sometimes need to access a server 
> from a new location and that kind of hard lockdown just isn't 
> practical. The denyhosts solution works very well for me and the RBH 
> feature blocks 9 out of 10 attempts outright. 
> 

It's quite simple if you're using pf:

in your pf.conf:

************
table <blacklist> persist

block in quick on $ext_if proto tcp from <blacklist> to any\
port 22 label "ssh bruteforce"

pass in on $ext_if inet proto tcp from any to any port ssh flags S/SA \
keep state (max-src-conn 15, max-src-conn-rate 5/40, \
overload <blacklist> flush global)

************

What is does is to check whether more than 15 connections are made from 
the same IP address, or 5 within 40 seconds. If that happens the 
offending IP address is put in a dynamic list called blacklist and gets 
blocked.

Works like charm.

Another option is sshguard (/usr/ports/security/sshguard)

Peter
-- 
http://www.boosten.org