Re: autoblocking many ssh failed logins from the same IP....

Tue, 05 Jul 2005 04:03:50 -0700 

John Cholewa wrote:
Jun 30 10:36:05 phantom sshd[70478]: Failed password for news from 212.88.182.121 port 51218 ssh2 Jun 30 10:36:16 phantom sshd[70500]: Failed password for sshd from 212.88.182.121 port 51608 ssh2 Jun 30 10:36:39 phantom sshd[70569]: Failed password for root from 212.88.182.121 port 52297 ssh2 


I get the above a lot in my logs (except more of it).  Each day, a 
couple hundred failed attempts to log in from one or sometimes two IP 
addresses shows up.  I don't have anything like ipf running, and since 
this machine is about fifteen hundred miles away from me, I don't want 
to experiment with software firewalling right now.



That known, is there any way to tell sshd (or some more powerful 
daemon) to stop accepting login attempts from a given IP if it tries 
and fails to log in too many times in a limited duration (like in the 
same minute)?



I suppose, now that I'm thinking about it, that it'd be best to 
actually just read the man pages and figure out how to get sshd to 
ignore any attempt to attach from ports other than 22.  I mean, why 
are other machines trying to ssh in at ports over fifty thousand anyway?


--
 -JC
 http://www.livejournal.com/users/jcholewa/


PS:  Oh, yeah ... "FreeBSD 4.8-RELEASE #0: Thu Apr  3 10:53:38 GMT 
2003" ; openssh-3.6.1_5 ; openssl-0.9.7d_1




_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions

To unsubscribe, send any mail to 
"[EMAIL PROTECTED]"



I had this on my FreeBSD 4.10 box as well.  sshd can be configured to 
only allow logins for specific users.

Edit /etc/sshd_config to add the following
AllowUsers <USER_NAME>

You can have multiple AllowUsers entries if you want more than one user 
to be able to ssh in.
This has worked pretty well for me, although I still get an occasional 
(once every couple of days) failed login attempt on the one valid user 
name I've set up.  I guess I could use a less guessable user id.



_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"














    











					Reply via email to