High levels of breakin attempts

Lowell Gilbert freebsd-questions-local at be-well.ilk.org
Tue Jan 11 06:40:59 PST 2005

Carleton Vaughn <keebler at mindspring.com> writes:

> Gene wrote:
> > Over the past few months there have been a remarkably high level  of
> > brute force attacks logged by sshd. I was wondering, is there a way
> > that sshd (or some other package) can monitor login attempts and if
> > more than say 5 or 6 attempts are made to login from a particular ip
> > address, temporarily block that address (perhaps at the firewall)?
> > It'd be real satisfying to just dump the attackers' packets to the
> > bit bucket and slow 'em down a bit.
> Not that I'm an expert (and not that that's stopping me), but this can
> be done by configuring sshd to use PAM and selecting a PAM module such
> as pam_abl that can blacklist sites that send too many attempts.  See
> http://www.kernel.org/pub/linux/libs/pam/modules.html for examples.

Always remember, however, to be careful that this doesn't open you up
to an easy denial-of-service attack.  If all somebody has to do is try
to log in a half-dozen times to lock out the IP address they're
connecting from, you may be making it possible for them to attack your
operation without breaking into your machine.

"5 or 6" login attempts doesn't remotely constitute a "brute force"
attack.  From what I've seen on my own machine, these attempts seem to
be trying passwords from a particular Linux distribution that shipped
with default passwords on a number of accounts.  Sometimes it makes me
feel better to lock out such "attacks," but I don't actually kid
myself into thinking that I'm either improving my own security or
inconveniencing the attacker noticeably.

Lowell Gilbert, embedded/networking software engineer, Boston area

More information about the freebsd-questions mailing list