Auto blacklist ssh connections ...
Peter N. M. Hansteen
peter at bsdly.net
Thu Sep 18 07:29:55 UTC 2008
"Marc G. Fournier" <scrappy at hub.org> writes:
> Does anyone know of a utility that I can use with sshd to auto-block by IP if
> there are more then N failed attempts in a row?
With PF, you could use state tracking options and overload rules to
set limits on the rate of new connections from any one host and/or the
rate of new connections,
pass quick proto { tcp, udp } from any to any port ssh \
flags S/SA keep state \
(max-src-conn 15, max-src-conn-rate 5/3, \
overload <bruteforce> flush global)
supplemented by a rule that handles traffic from the bruteforce table
(block quick, assign to tiny queue, whatever). One of the more popular
pages in the PF tutorial (<http://home.nuug.no/~peter/pf/en/bruteforce.html>)
is about just that, see <http://home.nuug.no/~peter/pf/> for a wider range
of formats.
There are other packages that will read your auth log and count, but being
sort of a PF guy I found the PF-based solution quite attractive and flexible.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
More information about the freebsd-questions
mailing list