Re: Banning SSH attackers
From: Alex Gottschalk (agottschalk_at_letstalk.com)
To: Paul Berube <email@example.com> Date: Fri, 21 Oct 2005 12:26:45 -0700
OpenBSD's PF firewall will let you do this, with any port. More than X
connections/sec from a given IP will let you add that src IP to a table,
which you can then ban, or whatever. Look for the <overload> operator
On Thu, 2005-10-20 at 11:42 -0600, Paul Berube wrote:
> First off, my personal disclaimer: I'm not a (real) sysadmin, nor a
> security or networking or even a *nix expert, so hopefully I'm not
> missing something obvious. I've looked through the ssh man page and
> googled, but I didn't find anything relevent. Anyway.
> People are running attacks on my server... they look like dictionary
> attacks on usernames and passwords, and I'm sure that any of you who
> look at your logs have seen the same thing on your machines. I have
> reverse-dns checking turned on, and have everyone except select users
> blocked by denygroups and denyusers. I end up with large daily logs
> filled with failed login attempts, user not allowed messages, and
> "possible breaking attempt" messages from reverse-dns failures (eg, more
> than 3800 entries yesterday, from 1 or 2 IPs).
> What I'd like is a system configuration where I just drop all packets
> from hosts that cause one of these messages for the next, say, 5 min.
> This way, a login failure from a legitimate user is not a catastrophic
> event for them, but greatly limits the ability of attackers to hammer on
> ssh. It seems like this sort of setup/process should have a well-known
> name (that I am ignorant of).
> Any advice, suggestions, or pointers would be appreciated!
-- Alex Gottschalk firstname.lastname@example.org IT Manager/Sysadmin Office: (415) 357-7635 LetsTalk.com Cell: (415) 517-4982
- application/pgp-signature attachment: This is a digitally signed message part