SSH login takes very long time...sometimes

[Atanas]

Carl Makin said the following on 02/16/06 20:07:
> Atanas wrote:
>> Does anybody know whether ipfw (or something else within FreeBSD-4) is 
>> capable of setting connection rate limits?
> 
> I'm using SEC to monitor the auth.log file and block any IP addresses 
> that fail a password 3 times within 60 seconds.  I use the following 
> sec.conf file;
> 
Yeah, it does pretty much the same thing I do with a simple script like:

#!/usr/bin/perl
use strict;

my $MAX_TRIES = 5;
my $RULE_BASE = 10100;
my $RULES_MAX = 10;
my $Rule = $RULE_BASE;
my %Match;

sub ip_block  # ($ip, $port)
{   my ($ip, $port) = @_;

     `ipfw delete $Rule` if `ipfw list $Rule 2>/dev/null`;
     `ipfw add $Rule deny tcp from $ip to any $port in setup`;

     $Rule = $RULE_BASE + (++$Rule - $RULE_BASE) % $RULES_MAX;
}

open LOG, "tail -f /var/log/auth.log |";
while (<LOG>) {

     if( /sshd\[\d+\]/ ) {
         if( /((Illegal user|Failed password for) \S+|Did not receive 
identification string) from (\d+\.\d+\.\d+\.\d+)/ ) {
             my $ip = $3;
             next if $Match{$ip}++ < $MAX_TRIES;
             ip_block($ip,22);
             undef $Match{$ip};
         }
     }
}
close F;

And a cron job removes the blocks every hour:

7 * * * * /sbin/ipfw delete 10100 10101 10102 10103 10104 10105 10106 
10107 10108 10109

It does the job, but it would be nice for sshd to have some rate-limit 
protection built-in. Otherwise, with the increasing number of attacks 
nowadays, many people would need similar protection.

Regards,
Atanas