On Fri, Feb 16, 2007 at 04:50:10AM +0000, John wrote: > Hello list > > I've taken normal steps to secure ssh (via key only) but, because it > is still on the normal port (22), I keep seeing attempts like this in my > auth log: > [...] > 218.108.234.158: 11: Bye Bye > Feb 16 04:37:25 shell sshd[28264]: Received disconnect from > 218.108.234.158: 11: Bye Bye > Feb 16 04:37:29 shell sshd[5110]: Received disconnect from > 218.108.234.158: 11: Bye Bye > [...] > This is every couple of seconds as you can see. What i'd like is to > allow max 2 failures from one IP in 30 seconds, if more than that write > to /etc/shitlist.txt which, if the connecting IP is found in there, logs > and silently drops the connection. Can pf do this? > > I kind of think it would be an admission of failure to move sshd to a > non-standard port because of these idiots. >
Hello John, you can use expiretable [1] combined with pf to solve this issue. here's a brief explaination on how to use it [2]. I for one think moving sshd to a non standard port is a bad idea indeed. regards, -- [1] http://expiretable.fnord.se/ [2] http://johan.fredin.info/openbsd/block_ssh_bruteforce.html -- Jérôme Magnin - jethro <@cognet> les bons codeurs reutilisent du code, les grands codeurs le volent
