autoblocking many ssh failed logins from the same IP....

John Brooks john at day-light.com
Fri Jul 1 14:11:36 GMT 2005 

they are originating from the high ports, arriving on port 22 at your
box. this is normal. in a default setup sshd only listens on port 22.

--
John Brooks
john at day-light.com 

> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of John Cholewa
> Sent: Friday, July 01, 2005 8:43 AM
> To: freebsd-questions at freebsd.org
> Subject: autoblocking many ssh failed logins from the same IP....
> 
> 
> Jun 30 10:36:05 phantom sshd[70478]: Failed password for news 
> from 212.88.182.121 port 51218 ssh2
> Jun 30 10:36:16 phantom sshd[70500]: Failed password for sshd 
> from 212.88.182.121 port 51608 ssh2
> Jun 30 10:36:39 phantom sshd[70569]: Failed password for root 
> from 212.88.182.121 port 52297 ssh2
> 
> I get the above a lot in my logs (except more of it).  Each day, 
> a couple hundred failed attempts to log in from one or sometimes 
> two IP addresses shows up.  I don't have anything like ipf 
> running, and since this machine is about fifteen hundred miles 
> away from me, I don't want to experiment with software 
> firewalling right now.
> 
> That known, is there any way to tell sshd (or some more powerful 
> daemon) to stop accepting login attempts from a given IP if it 
> tries and fails to log in too many times in a limited duration 
> (like in the same minute)?
> 
> I suppose, now that I'm thinking about it, that it'd be best to 
> actually just read the man pages and figure out how to get sshd 
> to ignore any attempt to attach from ports other than 22.  I 
> mean, why are other machines trying to ssh in at ports over fifty 
> thousand anyway?
> 
> --
>   -JC
>   http://www.livejournal.com/users/jcholewa/
> 
> PS:  Oh, yeah ... "FreeBSD 4.8-RELEASE #0: Thu Apr  3 10:53:38 
> GMT 2003" ; openssh-3.6.1_5 ; openssl-0.9.7d_1
> 
> 
> 
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe at freebsd.org"
>

More information about the freebsd-questions mailing list