On Sep 17, 2008, at 4:15 PM, Marc G. Fournier wrote:
Does anyone know of a utility that I can use with sshd to auto-block
by IP if
there are more then N failed attempts in a row?
Certainly. See:
% cat /usr/ports/security/denyhosts/pkg-descr
DenyHosts is a script intended to be run by *ix system administrators to
help thwart ssh server attacks.
If you've ever looked at your ssh log (/var/log/auth.log ) you may be
alarmed
to see how many hackers attempted to gain access to your server.
Denyhosts helps you:
- Parses /var/log/auth.log to find all login attempts
- Can be run from the command line, cron or as a daemon (new in 0.9)
- Records all failed login attempts for the user and offending host
- For each host that exceeds a threshold count, records the evil host
- Keeps track of each non-existent user (eg. sdada) when a login
attempt failed.
- Keeps track of each existing user (eg. root) when a login attempt
failed.
- Keeps track of each offending host (hosts can be purged )
- Keeps track of suspicious logins
- Keeps track of the file offset, so that you can reparse the same file
- When the log file is rotated, the script will detect it
- Appends /etc/hosts.allow
- Optionally sends an email of newly banned hosts and suspicious logins.
- Resolves IP addresses to hostnames, if you want
WWW: http://denyhosts.sourceforge.net/
Works fine. Just be careful to whitelist some known-OK IPs first, as
you can end up blocking yourself out if someone is careless logging in
as the wrong user or similar....
Regards,
--
-Chuck
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
