Beech Rintoul wrote:
On Tuesday 06 May 2008, David Kelly said:
On Tue, May 06, 2008 at 09:31:15AM -0800, Beech Rintoul wrote:
Is there a way to configure SSHd, so that the wait time between
login attempts increases after X failed tries?
Not that I know of. You should look into denyhosts (in the ports)
it works well and even has a RBL feature to block some of these
script kiddies proactively. Unfortunately, these attempts have
become a fact of life. I probably get 20 - 30 attempts a day
between my various servers.
Depending on how you use ssh from external systems you could add
firewall rules to disallow all but known sources.

I was doing that in the past, but I found it to be inflexable and sometimes a pain to deal with. I sometimes need to access a server from a new location and that kind of hard lockdown just isn't practical. The denyhosts solution works very well for me and the RBH feature blocks 9 out of 10 attempts outright.

It's quite simple if you're using pf:

in your pf.conf:

table <blacklist> persist

block in quick on $ext_if proto tcp from <blacklist> to any\
port 22 label "ssh bruteforce"

pass in on $ext_if inet proto tcp from any to any port ssh flags S/SA \
keep state (max-src-conn 15, max-src-conn-rate 5/40, \
overload <blacklist> flush global)


What is does is to check whether more than 15 connections are made from the same IP address, or 5 within 40 seconds. If that happens the offending IP address is put in a dynamic list called blacklist and gets blocked.

Works like charm.

Another option is sshguard (/usr/ports/security/sshguard)

_______________________________________________ mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to