> -----Original Message----- > From: [email protected]=20 > [mailto:[email protected]] On Behalf Of Antony Mawer > Sent: Saturday, September 18, 2004 6:51 PM > To: Chris Ryan > Cc: Frankye - ML; [email protected] > Subject: Re: Attacks on ssh port >=20 >=20 > Chris Ryan wrote: > > protection - with the appropriate active firewall that > > blocks their IP address after x failed attempts > > permanently.... >=20 > Has anyone found any good scripts or utilities for automating=20 > this kind=20 > of thing? I too have been subject to these probings, and my initial=20 > thought was to firewall off any address after any number of incorrect=20 > attempts. >=20 > While I could write a script to parse the ipfilter logs, I didn't want = > to go re-inventing the wheel for something which I was sure someone=20 > would have already attempted. >=20 > Anyone have any suggestions? There's three factors: wasted bandwidth, a successful intrusion and log noise. Filtering mitigates bandwidth wastage. But unless you can place the = filter out at the point where the Big Fat Pipe feeds into your comparatively = small pipe (i.e., the ISP's router), it's pointless--the scans will still eat = your bandwidth. IP Filtering is at best a tertiary security measure. It = should not replace proper configuration and maintenance, which is what you're seeking to accomplish. Check out the DenyUsers sshd_config keyword. With it OpenSSH will block = any login attempt with an account listed by DenyUsers. DenyUsers-listed accounts produce logging sooner (upon receipt of the username, rather = than after four bad passwords) and have different log entries than normal password failures. Cutting down the log noise is then a simple matter = of adding a filter to 800.loginfail or whatever else you may be using to = read auth.log. _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"