Auto blacklist ssh connections ...

eculp at eculp at
Thu Sep 18 13:20:07 UTC 2008

Quoting andrew clarke <mail at>:

> On Wed 2008-09-17 19:36:02 UTC-0400, Tom Marchand  
> (m0rchand at wrote:
>>> Does anyone know of a utility that I can use with sshd to auto-block
>>> by IP if there are more then N failed attempts in a row?
>> Why don't you have sshd listen on a different port?
> I imagine that on some hosts where there are multiple users/customers,
> moving sshd to another port isn't a practical solution due to people's
> habits in trying to connect to the default port.  A human problem
> rather than a technical one.
> PS. Top posting is cruel.

I`ve been more or less watching this thread and haven't seen the use  
of   the ssh-bruteforce rules from the pf on line howtos being  
recommended.  In my own case pf, in addition to a couple of other  
changes, has worked well for us.  In the other changes mentioned we  
have also changed the ssh port that doesn't add security but has  
basically stopped logfiles full of dictionary attempts from what I  
expect are windows machines that have been violated and are being used  
to find more.

I would highly recommend pf brutforce rules or something similar with  
other firewalls.


More information about the freebsd-questions mailing list