hi, you can use swatch and pf together to combat this. set a threshold in swatch as to many failed connections to allow before blocking that host.
i used to use this i still allowed ssh logins. now i use ssh keys + sudo for remote access. as there is no login prompt, brute forcing isn't an option. theres more info on setting up swatch and pf at: http://www.section6.net/help/swatch.php wouldn't worry too much about having your root password cracked as by default root cannot login remotely. allowing it remote login instead of sudo/su is just a tad daft :) stephen. On 5/21/05, Melameth, Daniel D. <[EMAIL PROTECTED]> wrote: > tefol tefol wrote: > > I manage several different pf firewalls around the country, and so I > > need to have ssh access allowed. Occaisionally, (more and more > > often lately), I get script kiddies having a go at brute forcing my > > root password (see below) or brute forcing a selection of guessed > > account names (like guest, admin, root, ...) > > > > While I have quite secure passwords, the blatting of my console is > > something I object to quite highly. Is there a way in PF to detect > > all these failed ssh connection attempts from a single address in a > > small time period and block them for a given time period? > > > > Is there something else I can use to do this more elegantly? > > > May 20 13:03:29 gateway sshd[25056]: Failed password for root from > > 69.0.238.65 port 46233 ssh2 > > May 20 13:03:29 gateway sshd[25056]: Failed password for root from > > 69.0.238.65 port 46233 ssh2 > > May 20 13:03:32 gateway sshd[30463]: Failed password for root from > > 69.0.238.65 port 46283 ssh2 > > May 20 13:03:32 gateway sshd[30463]: Failed password for root from > > 69.0.238.65 port 46283 ssh2 > > May 20 13:03:34 gateway sshd[7587]: Failed password for root from > > 69.0.238.65 port 46346 ssh2 > > Check the archives and see stateful tracking in 3.7's pf.conf manual... > > > For example, the following rules will protect the webserver against > hosts making more than 100 connections in 10 seconds. Any host which > connects faster than this rate will have its address added to the > <bad_hosts> table and have all states originating from it flushed. Any > new packets arriving from this host will be dropped unconditionally by > the block rule. > > block quick from <bad_hosts> > pass in on $ext_if proto tcp to $webserver port www flags S/SA keep > state (max-src-conn-rate 100/10, overload <bad_hosts> flush global) >
