How to Stop Bruit Force ssh Attempts?

Ean Kingston ean at
Thu Apr 13 01:31:41 UTC 2006

On Tuesday 11 April 2006 21:35, Jonathan Franks wrote:
> On Mar 18, 2006, at 12:39 PM, Chris Maness wrote:
> > In my auth log I see alot of bruit force attempts to login via
> > ssh.  Is there a way I can have the box automatically kill any tcp/
> > ip connectivity to hosts that try and fail a given number of
> > times?  Is there a port or something that I can install to give
> > this kind of protection.  I'm still kind of a FreeBSD newbie.

I setup SSH to use public key authentication only. That way they can hammer 
away at my ssh server till the cows come home and they will never get in with 
a password.

I also use tcpwrappers (built into ssh daemon) for the particularly obnoxious 

> If you are using PF, you can use source tracking to drop the
> offenders in to a table... perhaps after a certain number of attempts
> in a given time (say, 5 in a minute). Once you have the table you're
> in business... you can block based on it... and then set up a cron
> job to copy the table to disk every so often (perhaps once every two
> minutes). It works very well for me, YMMV.
> If you don't want to block permanently, you could use cron to flush
> the table every so often too... I don't bother though.
> -Jonathan

Ean Kingston, BSc, CISSP, ARO
Computer Security and Privacy Consulting

More information about the freebsd-questions mailing list