Jonathan Franks wrote:

On Mar 18, 2006, at 12:39 PM, Chris Maness wrote:

In my auth log I see alot of bruit force attempts to login via ssh. Is there a way I can have the box automatically kill any tcp/ ip connectivity to hosts that try and fail a given number of times? Is there a port or something that I can install to give this kind of protection. I'm still kind of a FreeBSD newbie.

If you are using PF, you can use source tracking to drop the offenders in to a table... perhaps after a certain number of attempts in a given time (say, 5 in a minute). Once you have the table you're in business... you can block based on it... and then set up a cron job to copy the table to disk every so often (perhaps once every two minutes). It works very well for me, YMMV.

If you don't want to block permanently, you could use cron to flush the table every so often too... I don't bother though.


I use a port called DenyHost. It adds an entry to hosts.allow that denies access.
_______________________________________________ mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to