On 9/19/2011 2:05 PM, James Strother wrote:
Does anyone know a good way of limiting the number of ssh attempts
from a single IP address?
I found the following website, which describes a variety of approaches:
http://www.freebsdwiki.net/index.php/Block_repeated_illegal_or_failed_SSH_logins
But I am honestly not really happy with any of them. Continuously
polling log files for regex hits seems...well crude. Just to give you
an idea of what I mean, here were some of the issues I had. The
sshd-scan.sh script allows IPs to be reinstated, but the timing is
dependent on how frequently you rotate logs. sshguard has a pretty
website, but I can't actually find much useful documentation on how to
configure it. fail2ban looks like it might work with sufficient work,
but the defaults are terrible. By default, every time an IP is
reinstated, all IPs are reinstated. Not to mention, at present I
can't seem to get it to trigger any hits.
I suppose I could keep shopping, but the truth is I just think polling
log files is the wrong way to solve the problem. Anything based on
this approach is going to have a long latency and be highly dependent
on the unspecified and unstable formatting of log files (see
http://www.fail2ban.org/wiki/index.php/HOWTO_Mac_OS_X_Server_(10.4)
and the troubles an exclamation point can cause).
I would much much rather do something like this:
http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/
Does anyone know a way to do something similar with ipfw?
Thanks in advance,
Jim
_______________________________________________
They cannot attack what they cannot see. That's why I wrote this:
http://www.tundraware.com/Software/tperimeter/
It allows you to restrict access to a fixed set of hosts
(via tcpwrappers) but to dynamically request access from
any host (via wrapper rewriting) so long as you have
credentials to do so. The current version has a worst-case
latency of 5 minutes from the time you remotely request ssh
access be granted until it actually is. I am working toward
an update that will grant the request immediately.
--
----------------------------------------------------------------------------
Tim Daneliuk tun...@tundraware.com
PGP Key: http://www.tundraware.com/PGP/
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
