denyhosts/pfctl to block repeated logins?
John Holland
jholland at vin-dit.org
Sat Jun 20 16:11:16 UTC 2015
Thanks for all this information. I had used deny hosts before on Linux. I tried using something involving pf rules and a shell script monitoring auth.log, This was not working well. At the moment I’ve got denyhosts working and it seems OK but I may switch to sshguard-pf based on your recommendation.
John
> On Jun 20, 2015, at 8:32 AM, Michael B. Eichorn <ike at michaeleichorn.com <mailto:ike at michaeleichorn.com>> wrote:
>
> On Sat, 2015-06-20 at 21:55 +1000, andrew clarke wrote:
>> On Sat 2015-06-20 07:34:50 UTC-0400, John Holland (jholland at vin-dit.org <mailto:jholland at vin-dit.org>
>> ) wrote:
>>
>>> What is the best tool to use to block repeated login attempts from
>>> unauthorized hosts? And for deny hosts, how you unblock someone who
>>> is legitimate?
>>
>> "Best tool" is difficult to answer since it depends on your exact
>> requirements.
>>
>> Also once an admin finds an IP blocker that works for them, they may
>> tend to stick with it rather than try all the alternatives.
>>
>> For blocking unsuccessful ssh logins, sshguard-ipfw works for me.
>>
>> http://www.sshguard.net/docs/faqs/ <http://www.sshguard.net/docs/faqs/>
>>
>
> I will second sshguard as an excellent automated blocker. But since the
> OP mentions pfctl in the subject line, they probably want sshguard-pf.
> There is also a no-firewall version for running in jails.
>
> I prefer sshguard as it is a daemon like C program whereas denyhosts is a
> python script. So I get a few less dependencies and a bit more speed.
>
> SSHguard can handle more than just ssh logins, but sendmail, dovecot, and
> other servers as well.
>
> Unblocking no matter what you are using best consists of 2 steps:
> 1) Remove the blocked address from the firewall table, hosts.deny, etc.
> 2) If possible whitelist the hostname(s)/address(es)/subnet(s)
More information about the freebsd-questions
mailing list