Re: Banning SSH attackers

From: Alex Gottschalk (
Date: 10/21/05

  • Next message: Eldon Ziegler: "Re: Banning SSH attackers"
    To: Paul Berube <>
    Date: Fri, 21 Oct 2005 12:26:45 -0700

    OpenBSD's PF firewall will let you do this, with any port. More than X
    connections/sec from a given IP will let you add that src IP to a table,
    which you can then ban, or whatever. Look for the <overload> operator
    here: <>


    On Thu, 2005-10-20 at 11:42 -0600, Paul Berube wrote:
    > Hi.
    > First off, my personal disclaimer: I'm not a (real) sysadmin, nor a
    > security or networking or even a *nix expert, so hopefully I'm not
    > missing something obvious. I've looked through the ssh man page and
    > googled, but I didn't find anything relevent. Anyway.
    > People are running attacks on my server... they look like dictionary
    > attacks on usernames and passwords, and I'm sure that any of you who
    > look at your logs have seen the same thing on your machines. I have
    > reverse-dns checking turned on, and have everyone except select users
    > blocked by denygroups and denyusers. I end up with large daily logs
    > filled with failed login attempts, user not allowed messages, and
    > "possible breaking attempt" messages from reverse-dns failures (eg, more
    > than 3800 entries yesterday, from 1 or 2 IPs).
    > What I'd like is a system configuration where I just drop all packets
    > from hosts that cause one of these messages for the next, say, 5 min.
    > This way, a login failure from a legitimate user is not a catastrophic
    > event for them, but greatly limits the ability of attackers to hammer on
    > ssh. It seems like this sort of setup/process should have a well-known
    > name (that I am ignorant of).
    > Any advice, suggestions, or pointers would be appreciated!
    > Thanks.
    > --Paul

    Alex Gottschalk                         
    IT Manager/Sysadmin                                 Office: (415) 357-7635                                          Cell: (415) 517-4982

  • Next message: Eldon Ziegler: "Re: Banning SSH attackers"