Auto blacklist ssh connections ...

Peter N. M. Hansteen peter at
Thu Sep 18 07:29:55 UTC 2008

"Marc G. Fournier" <scrappy at> writes:

> Does anyone know of a utility that I can use with sshd to auto-block by IP if
> there are more then N failed attempts in a row?

With PF, you could use state tracking options and overload rules to
set limits on the rate of new connections from any one host and/or the
rate of new connections,

pass quick proto { tcp, udp } from any to any port ssh \
        flags S/SA keep state \
        (max-src-conn 15, max-src-conn-rate 5/3, \
        overload <bruteforce> flush global)

supplemented by a rule that handles traffic from the bruteforce table
(block quick, assign to tiny queue, whatever).  One of the more popular
pages in the PF tutorial (<>) 
is about just that, see <> for a wider range
of formats.

There are other packages that will read your auth log and count, but being
sort of a PF guy I found the PF-based solution quite attractive and flexible.

Peter N. M. Hansteen, member of the first RFC 1149 implementation team
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: disconnected after 42673 seconds.

More information about the freebsd-questions mailing list