denying spam hosts ssh access - good idea?

Ben Schumacher me at
Mon Jan 11 17:40:30 UTC 2010

On Mon, Jan 11, 2010 at 7:01 AM, Anton Shterenlikht <mexas at> wrote:
> I'm thinking of denying ssh access to host from which
> I get brute force ssh attacks.
> HOwever, I see in /etc/hosts.allow:
> # Wrapping sshd(8) is not normally a good idea, but if you
> # need to do it, here's how
> #sshd : : deny
> Why is it not a good idea?
> Also, apparently in older ssh there was DenyHosts option,
> but no longer in the current version.
> Is there a replacement for DenyHOsts?
> Or is there a good reason for such option not to be used?


In the general theme of this thread -- not answering your question,
but providing an alternate solution -- sshguard from ports work
fantastically for me. It interfaces with both ipfw and pf firewalls (I
use it with pf) and has builtin timeout.

I use syslog on several machine behind my firewall to forward SSH
authentication failures to my FreeBSD firewall that uses PF and it
quickly identifies and blocks bruteforce attacks. From my syslog.conf:

!sshd					@wall

The handy thing here is that it has builtin timeout rules so if you do
something silly and block yourself out temporarily, it'll eventually
straighten itself out.


More information about the freebsd-questions mailing list