-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hej there,
Atanas wrote: > Dag-Erling Smørgrav said the following on 02/15/06 23:35: > >> David Malone <[EMAIL PROTECTED]> writes: > Last year I already had to decrease the LoginGraceTime from 120 to 30 > seconds on my production boxes, but it didn't help much, so on top of > that I got to implement (reinvent the wheel again) a script tailing the > auth.log and firewalling bad gyus in order to secure sshd and let my > legitimate users in. > You could get rid of parsing auth.log and everything and just use pf(4) instead. Look at that: # sshspammer table table <sshspammer> persist block log quick from <sshspammer> # sshspammer # more than 6 ssh attempts in 15 seconds will be blocked ;) pass in quick on $ext_if proto tcp to ($ext_if) port ssh $tcp_flags (max-src-con n 10, max-src-conn-rate 6/15, overload <sshspammer> flush global) > I really miss the inetd features. A setting like "nowait/100/20/5" > (/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]) > would effectively bounce the bad guys, but AFAIK (correct me if I'm > wrong), ssh is no longer supposed to work via inetd and still has no > such capabilities. > I believe what you are searching for is indeed the pf(4) stuff mentioned above :) > I'd be nice to have something like for instance the sendmail's client > and rate connection limits, but I guess this is not the right place to ask. > I believe it is. It's about FreeBSD and about Security ;-) regards, Marian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFD9YvKgAq87Uq5FMsRAik2AKDMXXj4K0Pb9i0Qc6Cqowtzp6dynwCeIOpn gwk9aMT1skGMWis8tRL1Xtk= =jV8k -----END PGP SIGNATURE----- _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"