Firewalls using a DNSbl (and distributed ssh attacks)

Tim Judd tajudd at
Wed Dec 3 23:17:19 PST 2008

On Wed, Dec 3, 2008 at 7:53 PM, Daniel Bye <danielby at>wrote:

> On Wed, Dec 03, 2008 at 07:43:26PM -0600, Jeffrey Goldberg wrote:
> > It's not a big issue, but I'm wondering if there is a DNSBl that lists
> > IPs that are engaging in brute force ssh attacks.  And if there is
> > such a list, is there a way to integrate that information into a
> > firewall or sshd.
> >
> > As I've said this really isn't a big issue for me, as the brute force
> > attempts at sshd are nothing but an annoyance as I review logs.
> >
> > The attacks that I'm seeing appear to be coordinated and distributed.
> > That is, there will be one attempt on username "fred" from one IP
> > immediately followed by an attempt on "freddy" from another IP
> > followed by an attempt on "fredrick" from a third source and so on.
> I don't know of any DNSbl type service, but I am using DenyHosts with
> very great success. Its synchronisation feature allows participating
> instances of the script to share IP addresses of misbehaving hosts,
> so as soon as an address hits the database, it's only a matter of an
> hour or so before your instance can start blocking it.
> The basic setup uses TCP wrappers to block offending hosts, but I am
> using the datafile it maintains as a file-based table in pf, which I
> reload periodically from a cronjob.
> Dan
> --
> Daniel Bye
>                                                                     _
>                                              ASCII ribbon campaign ( )
>                                         - against HTML, vCards and  X
>                                - proprietary attachments in e-mail / \

Depending on the role of the machine, I've started to firewall off remote
ssh connects to my machines except only the hosts I use.  A dyndns hostname
+ pf querying DNS and the static IPs that I have at the office.  All others
don't need access, and if push comes to shove, I can update dyndns IP with
anything I'm behind, allow DNS propogation, (hour?) and then connect.  works
quite well.

pf example:

block in on fxp0 all
pass in on fxp0 inet proto tcp from { <workIP>, "sub.dyndnsorg.tld" } to
port 22 keep state flags S/SA

When you implement this, the firewall sees no existing state (I think) and
will kill your connection.  If you didn't typo the firewall rule, you can
connect right back.


More information about the freebsd-questions mailing list