Firewalls using a DNSbl (and distributed ssh attacks)

Daniel Bye danielby at
Wed Dec 3 18:54:02 PST 2008

On Wed, Dec 03, 2008 at 07:43:26PM -0600, Jeffrey Goldberg wrote:
> It's not a big issue, but I'm wondering if there is a DNSBl that lists  
> IPs that are engaging in brute force ssh attacks.  And if there is  
> such a list, is there a way to integrate that information into a  
> firewall or sshd.
> As I've said this really isn't a big issue for me, as the brute force  
> attempts at sshd are nothing but an annoyance as I review logs.
> The attacks that I'm seeing appear to be coordinated and distributed.   
> That is, there will be one attempt on username "fred" from one IP  
> immediately followed by an attempt on "freddy" from another IP  
> followed by an attempt on "fredrick" from a third source and so on.

I don't know of any DNSbl type service, but I am using DenyHosts with
very great success. Its synchronisation feature allows participating
instances of the script to share IP addresses of misbehaving hosts,
so as soon as an address hits the database, it's only a matter of an
hour or so before your instance can start blocking it.

The basic setup uses TCP wrappers to block offending hosts, but I am
using the datafile it maintains as a file-based table in pf, which I
reload periodically from a cronjob.


Daniel Bye
                                              ASCII ribbon campaign ( )
                                         - against HTML, vCards and  X
                                - proprietary attachments in e-mail / \
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url :

More information about the freebsd-questions mailing list