Re: Auto blacklist ssh connections ...

2008-09-18 Thread eculp
Quoting andrew clarke <[EMAIL PROTECTED]>: On Wed 2008-09-17 19:36:02 UTC-0400, Tom Marchand ([EMAIL PROTECTED]) wrote: Does anyone know of a utility that I can use with sshd to auto-block by IP if there are more then N failed attempts in a row? Why don't you have sshd listen on a differ

Re: Auto blacklist ssh connections ...

2008-09-18 Thread andrew clarke
On Wed 2008-09-17 19:36:02 UTC-0400, Tom Marchand ([EMAIL PROTECTED]) wrote: >> Does anyone know of a utility that I can use with sshd to auto-block >> by IP if there are more then N failed attempts in a row? > Why don't you have sshd listen on a different port? I imagine that on some hosts wh

Re: Auto blacklist ssh connections ...

2008-09-18 Thread Peter N. M. Hansteen
"Marc G. Fournier" <[EMAIL PROTECTED]> writes: > Does anyone know of a utility that I can use with sshd to auto-block by IP if > there are more then N failed attempts in a row? With PF, you could use state tracking options and overload rules to set limits on the rate of new connections from any o

Re: Auto blacklist ssh connections ...

2008-09-18 Thread Andrew D (Webzone)
Howdy, We use Blockhosts found here :) http://www.aczoom.com/cms/blockhosts HTH cya Andrew DA Forsyth wrote: On 17 Sep 2008 , [EMAIL PROTECTED] entreated about "freebsd-questions Digest, Vol 233, Issue 7": Does anyone know of a utility that I can use with sshd to auto-block by IP if th

Re: Auto blacklist ssh connections ...

2008-09-17 Thread Matthew Seaman
Nathan Lay wrote: I employed this solution: http://johan.fredin.info/openbsd/block_ssh_bruteforce.html You have to enable pf, but man it works and it works well! Agreed. I use a slight modification of this configuration on a number of firewalls. As specified in the page referenced above, the

Re: Auto blacklist ssh connections ...

2008-09-17 Thread DA Forsyth
On 17 Sep 2008 , [EMAIL PROTECTED] entreated about "freebsd-questions Digest, Vol 233, Issue 7": > Does anyone know of a utility that I can use with sshd to auto-block by IP if > there are more then N failed attempts in a row? yes, 'pf' the packet filter. http://home.nuug.no/~peter/pf/en/brutef

Re: Auto blacklist ssh connections ...

2008-09-17 Thread Nathan Lay
I employed this solution: http://johan.fredin.info/openbsd/block_ssh_bruteforce.html You have to enable pf, but man it works and it works well! Best Regards, Nathan Lay Marc G. Fournier wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Does anyone know of a utility that I can use with ssh

Re: Auto blacklist ssh connections ...

2008-09-17 Thread Agus
2008/9/17 Mel <[EMAIL PROTECTED]>: > On Thursday 18 September 2008 01:15:45 Marc G. Fournier wrote: >> Does anyone know of a utility that I can use with sshd to auto-block by IP >> if there are more then N failed attempts in a row? > > # crontab -l > @reboot /usr/sbin/daemon -p /var/run/grok-ssh.pi

Re: Auto blacklist ssh connections ...

2008-09-17 Thread Mel
On Thursday 18 September 2008 01:15:45 Marc G. Fournier wrote: > Does anyone know of a utility that I can use with sshd to auto-block by IP > if there are more then N failed attempts in a row? # crontab -l @reboot /usr/sbin/daemon -p /var/run/grok-ssh.pid /usr/local/bin/grok -f /etc/pf/grok-ssh.c

Re: Auto blacklist ssh connections ...

2008-09-17 Thread Vulpes Velox
On Wed, 17 Sep 2008 20:15:45 -0300 "Marc G. Fournier" <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > Does anyone know of a utility that I can use with sshd to > auto-block by IP if there are more then N failed attempts in a row? > > ie: > > # grep "Invalid u

Re: Auto blacklist ssh connections ...

2008-09-17 Thread Tom Marchand
Why don't you have sshd listen on a different port? I was getting 1000's of ssh login attempts until I changed the port sshd was listening on. I've found script kiddies aren't smart enough to check alt ports. On Sep 17, 2008, at 7:15 PM, Marc G. Fournier wrote: -BEGIN PGP SIGNED ME

Re: Auto blacklist ssh connections ...

2008-09-17 Thread Greg Larkin
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Marc G. Fournier wrote: > > Does anyone know of a utility that I can use with sshd to auto-block by IP if > there are more then N failed attempts in a row? > > ie: > > # grep "Invalid user" /var/log/auth.log| awk '{print $10}' | sort | uniq -c | >

Re: Auto blacklist ssh connections ...

2008-09-17 Thread Chuck Swiger
On Sep 17, 2008, at 4:15 PM, Marc G. Fournier wrote: Does anyone know of a utility that I can use with sshd to auto-block by IP if there are more then N failed attempts in a row? Certainly. See: % cat /usr/ports/security/denyhosts/pkg-descr DenyHosts is a script intended to be run by *ix sy

Re: Auto blacklist ssh connections ...

2008-09-17 Thread freebsdemail
: Subject: Auto blacklist ssh connections ... -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Does anyone know of a utility that I can use with sshd to auto-block by IP if there are more then N failed attempts in a row? ie: # grep "Invalid user" /var/log/auth.log| awk '{print $10}

Auto blacklist ssh connections ...

2008-09-17 Thread Marc G. Fournier
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Does anyone know of a utility that I can use with sshd to auto-block by IP if there are more then N failed attempts in a row? ie: # grep "Invalid user" /var/log/auth.log| awk '{print $10}' | sort | uniq -c | sort -nr 5268 140.113.210.174 4863 72