Hi. You can bind ssh to another port and/or you can play with a little scripting and the excellent packet filter. I run a script from cron that greps the IP addresses from the sshscans, dups them in an file and a pf table uses this file to drop connections from these IPs. Depending on the type these IP addresses will be removed after a specific amount of time.
The script is really stupid and easy: #!/bin/sh exec 2>&1 LOGTAIL=/usr/local/bin/logtail PF_TABLE=sshscanners # Penalties: PENALTY_SCAN=1.0 PENALTY_INVALID_USER=2.0 PENALTY_ROOT_ACCESS=4.0 # Time to expire TTE_BLACK_LIST=43200 # 12 hours TMPFILE=/tmp/authlog.tail.$$ NOW=`date +'%s'` $LOGTAIL /var/log/authlog > $TMPFILE grep 'Did not receive identification string from' $TMPFILE | awk -v SCORE=$PENALTY_SCAN '{print $12,SCORE;}' | grep -v '[a-zA-Z]' | sort | uniq -c > /tmp/sshd_no_id.$$ grep 'Invalid user' $TMPFILE | awk -v SCORE=$PENALTY_INVALID_USER '{print $10,SCORE;}' | grep -v '[a-zA-Z]' | sort | uniq -c > /tmp/sshd_invalid_users.$$ grep 'Failed password for root from' $TMPFILE | awk -v SCORE=$PENALTY_ROOT_ACCESS '{print $11,SCORE;}' | grep -v '[a-zA-Z]' | sort | uniq -c > /tmp/sshd_root_hackers.$$ cat /tmp/sshd_root_hackers.$$ /tmp/sshd_invalid_users.$$ /tmp/sshd_no_id.$$ | awk -v STAMP=$NOW '{bastards[$2]+=$1*$3;} END{for (ip in bastards) {print ip" # "bastards[ip]" "STAMP;}}' > /tmp/new_bastards.$$ cp /etc/pf.d/sshscans /tmp/sshscans.$$ echo "Updating table ${PF_TABLE}: " echo "" cat /tmp/sshscans.$$ /tmp/new_bastards.$$ | grep '^[0-9]' | awk -v NOW=$NOW -v TTE=$TTE_BLACK_LIST '{if ((NOW-$4)<TTE*$3) {print $0;}}' > /etc/pf.d/sshscans /sbin/pfctl -t $PF_TABLE -T replace -f /etc/pf.d/sshscans -v | grep -v '^X' | sed -e 's/^A /Adding /g' -e 's/`D /Deleting /g' 2>&1 echo "" /bin/rm -f /tmp/sshd_root_hackers.$$ /tmp/sshd_invalid_users.$$ /tmp/sshd_no_id.$$ /tmp/new_bastards.$$ $TMPFILE pf.conf defines a table with the addresse build from that file and drops them: [... snipp ...] table <sshscanners> file "/etc/pf.d/sshscans" persist [...] block return-rst in log quick on $ext_if proto tcp from <sshscanners> to any port 22 [... snipp ...] This works for me but zour mileage may vary. HTH, Andreas. On 7/4/06, sonjaya <[EMAIL PROTECTED]> wrote:
Dear all How to blok ddos/Flooding/ssh brute attack with pf . -sonjaya-
-- Hobbes : Shouldn't we read the instructions? Calvin : Do I look like a sissy?