autoblocking many ssh failed logins from the same IP....
ep_lists at peckham.me.uk
Tue Jul 5 11:03:27 GMT 2005
John Cholewa wrote:
> Jun 30 10:36:05 phantom sshd: Failed password for news from
> 220.127.116.11 port 51218 ssh2
> Jun 30 10:36:16 phantom sshd: Failed password for sshd from
> 18.104.22.168 port 51608 ssh2
> Jun 30 10:36:39 phantom sshd: Failed password for root from
> 22.214.171.124 port 52297 ssh2
> I get the above a lot in my logs (except more of it). Each day, a
> couple hundred failed attempts to log in from one or sometimes two IP
> addresses shows up. I don't have anything like ipf running, and since
> this machine is about fifteen hundred miles away from me, I don't want
> to experiment with software firewalling right now.
> That known, is there any way to tell sshd (or some more powerful
> daemon) to stop accepting login attempts from a given IP if it tries
> and fails to log in too many times in a limited duration (like in the
> same minute)?
> I suppose, now that I'm thinking about it, that it'd be best to
> actually just read the man pages and figure out how to get sshd to
> ignore any attempt to attach from ports other than 22. I mean, why
> are other machines trying to ssh in at ports over fifty thousand anyway?
> PS: Oh, yeah ... "FreeBSD 4.8-RELEASE #0: Thu Apr 3 10:53:38 GMT
> 2003" ; openssh-3.6.1_5 ; openssl-0.9.7d_1
> freebsd-questions at freebsd.org mailing list
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
I had this on my FreeBSD 4.10 box as well. sshd can be configured to
only allow logins for specific users.
Edit /etc/sshd_config to add the following
You can have multiple AllowUsers entries if you want more than one user
to be able to ssh in.
This has worked pretty well for me, although I still get an occasional
(once every couple of days) failed login attempt on the one valid user
name I've set up. I guess I could use a less guessable user id.
More information about the freebsd-questions