-------------------------
Original Message:
From: Bryan Irvine <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Date: Friday, September 23 2005 09:55 AM
Subject: Re: is there a way to block sshd trolling?
>Have snort or portsentry add those ips to a table in pf.conf.
>
>--Bryan
>
>On 9/23/05, John Marten <[EMAIL PROTECTED]> wrote:
>> You know what i mean? Every day I get some script kiddie, or adult
>> trying to guess usernames or passwords.
>> I've installed the newest version of SSH, so i'm covered there. But I
>> still get a dozen or 2 of the
>> "sshd Invalid user somename from ###.##.##.###"
>> "input_userauth_request: ivalid user somename"
>> "Failed password for invalid user somename"
>> "Recieved disconnect from ###.##.##.###"
>> Someone told me to add a 'block in quick on $net inet proto {tcp,udp}
>> from ###.##.##.### to any flags S/SA'
>> entry in my pf.conf file. But if I had do that for every hacker my
>> pf.conf would be huge!
>> There's got to be a better way, and I'm open to suggestions.
>>
>>
>> John F. Marten III
>>
>> Information Technology Specialist
-------------------------
You could use pf to add the entries to your block table based upon
connect/disconnect rate.
Notice the timescale of this attack in your authlog, no human types this fast.
See man pf.conf for pertinent examples.
Regards,
Rob
