Beech Rintoul wrote:
On Tuesday 06 May 2008, David Kelly said:
On Tue, May 06, 2008 at 09:31:15AM -0800, Beech Rintoul wrote:
Is there a way to configure SSHd, so that the wait time between
login attempts increases after X failed tries?
Not that I know of. You should look into denyhosts (in the ports)
it works well and even has a RBL feature to block some of these
script kiddies proactively. Unfortunately, these attempts have
become a fact of life. I probably get 20 - 30 attempts a day
between my various servers.
Depending on how you use ssh from external systems you could add
firewall rules to disallow all but known sources.
I was doing that in the past, but I found it to be inflexable and
sometimes a pain to deal with. I sometimes need to access a server
from a new location and that kind of hard lockdown just isn't
practical. The denyhosts solution works very well for me and the RBH
feature blocks 9 out of 10 attempts outright.
It's quite simple if you're using pf:
in your pf.conf:
table <blacklist> persist
block in quick on $ext_if proto tcp from <blacklist> to any\
port 22 label "ssh bruteforce"
pass in on $ext_if inet proto tcp from any to any port ssh flags S/SA \
keep state (max-src-conn 15, max-src-conn-rate 5/40, \
overload <blacklist> flush global)
What is does is to check whether more than 15 connections are made from
the same IP address, or 5 within 40 seconds. If that happens the
offending IP address is put in a dynamic list called blacklist and gets
Works like charm.
Another option is sshguard (/usr/ports/security/sshguard)
email@example.com mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"