On Wed, Dec 3, 2008 at 7:53 PM, Daniel Bye <[EMAIL PROTECTED]>wrote: > On Wed, Dec 03, 2008 at 07:43:26PM -0600, Jeffrey Goldberg wrote: > > It's not a big issue, but I'm wondering if there is a DNSBl that lists > > IPs that are engaging in brute force ssh attacks. And if there is > > such a list, is there a way to integrate that information into a > > firewall or sshd. > > > > As I've said this really isn't a big issue for me, as the brute force > > attempts at sshd are nothing but an annoyance as I review logs. > > > > The attacks that I'm seeing appear to be coordinated and distributed. > > That is, there will be one attempt on username "fred" from one IP > > immediately followed by an attempt on "freddy" from another IP > > followed by an attempt on "fredrick" from a third source and so on. > > I don't know of any DNSbl type service, but I am using DenyHosts with > very great success. Its synchronisation feature allows participating > instances of the script to share IP addresses of misbehaving hosts, > so as soon as an address hits the database, it's only a matter of an > hour or so before your instance can start blocking it. > > The basic setup uses TCP wrappers to block offending hosts, but I am > using the datafile it maintains as a file-based table in pf, which I > reload periodically from a cronjob. > > Dan > > -- > Daniel Bye > _ > ASCII ribbon campaign ( ) > - against HTML, vCards and X > - proprietary attachments in e-mail / \ >
Depending on the role of the machine, I've started to firewall off remote ssh connects to my machines except only the hosts I use. A dyndns hostname + pf querying DNS and the static IPs that I have at the office. All others don't need access, and if push comes to shove, I can update dyndns IP with anything I'm behind, allow DNS propogation, (hour?) and then connect. works quite well. pf example: block in on fxp0 all pass in on fxp0 inet proto tcp from { <workIP>, "sub.dyndnsorg.tld" } to port 22 keep state flags S/SA When you implement this, the firewall sees no existing state (I think) and will kill your connection. If you didn't typo the firewall rule, you can connect right back. --TJ _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"