------------------------- Original Message: From: Bryan Irvine <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Date: Friday, September 23 2005 09:55 AM Subject: Re: is there a way to block sshd trolling?
>Have snort or portsentry add those ips to a table in pf.conf. > >--Bryan > >On 9/23/05, John Marten <[EMAIL PROTECTED]> wrote: >> You know what i mean? Every day I get some script kiddie, or adult >> trying to guess usernames or passwords. >> I've installed the newest version of SSH, so i'm covered there. But I >> still get a dozen or 2 of the >> "sshd Invalid user somename from ###.##.##.###" >> "input_userauth_request: ivalid user somename" >> "Failed password for invalid user somename" >> "Recieved disconnect from ###.##.##.###" >> Someone told me to add a 'block in quick on $net inet proto {tcp,udp} >> from ###.##.##.### to any flags S/SA' >> entry in my pf.conf file. But if I had do that for every hacker my >> pf.conf would be huge! >> There's got to be a better way, and I'm open to suggestions. >> >> >> John F. Marten III >> >> Information Technology Specialist ------------------------- You could use pf to add the entries to your block table based upon connect/disconnect rate. Notice the timescale of this attack in your authlog, no human types this fast. See man pf.conf for pertinent examples. Regards, Rob