Blocking SSH access based on bad logins?

Reko Turja reko.turja at
Tue Aug 25 13:30:03 UTC 2015

-----Original Message----- 
From: Jaime Kikpole
Sent: Tuesday, August 25, 2015 4:16 PM
To: freebsd-questions at
Subject: Blocking SSH access based on bad logins?

> I've noticed a number of SSH login attempts for the username "admin"
> on my FreeBSD systems.  None of them have a username of "admin".  So I
> was wondering if there was a way (even via a port) to tell the system,
> "If an IP tries to login as 'admin', block that IP."

> I'm already using SSHGuard to block certain obvious attempts to break
> in.  I'm fine with altering its configs or adding/switching to a new
> port.

With pf as your firewall you could do something like this -

first, define a table with:

table <bad_hosts> persist { }

then in filter rules:

pass in on $ext_if proto tcp from any to ($ext_if) port $tcp_login flags 
S/SA keep state (max-src-conn-rate 3/30, overload <bad_hosts> flush global)

where 3/30 means how many connections to port are allowed in set timeframe, 
for me its three in 30 seconds. If that amount is exceeded, then the ip is 
added to bad_hosts table. Of course, distributed attacks are rarely affected 
by this rule.

IMO switching SSH port is security by obscurity, determined attacker will 
eventually find the altered port if so inclined.


More information about the freebsd-questions mailing list