"Marc G. Fournier" <[EMAIL PROTECTED]> writes:

> Does anyone know of a utility that I can use with sshd to auto-block by IP if
> there are more then N failed attempts in a row?

With PF, you could use state tracking options and overload rules to
set limits on the rate of new connections from any one host and/or the
rate of new connections,

pass quick proto { tcp, udp } from any to any port ssh \
        flags S/SA keep state \
        (max-src-conn 15, max-src-conn-rate 5/3, \
        overload <bruteforce> flush global)

supplemented by a rule that handles traffic from the bruteforce table
(block quick, assign to tiny queue, whatever).  One of the more popular
pages in the PF tutorial (<http://home.nuug.no/~peter/pf/en/bruteforce.html>) 
is about just that, see <http://home.nuug.no/~peter/pf/> for a wider range
of formats.

There are other packages that will read your auth log and count, but being
sort of a PF guy I found the PF-based solution quite attractive and flexible.

Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: disconnected after 42673 seconds.
freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to