[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: is there a way to block sshd trolling?

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: is there a way to block sshd trolling?
From: jared r r spiegel <jrrs_(_at_)_ice-nine_(_dot_)_org>
Date: Fri, 23 Sep 2005 20:07:35 -0600
Mail-followup-to: jared r r spiegel <jrrs_(_at_)_ice-nine_(_dot_)_org>, misc_(_at_)_openbsd_(_dot_)_org

On Fri, Sep 23, 2005 at 11:40:36AM -0700, John Marten wrote:
> "input_userauth_request: ivalid user somename"
> "Failed password for invalid user somename"

  haven't read the entire thread yet, so doubtless this has
  come up, but i use:

--
e =                     sis2

table   <bad_hosts>     persist         { }

pass in on $e inet proto tcp from any to (carp0:0) port 22 synproxy state flags S/SA tag IBSSH
pass in log on $e tagged IBSSH keep state (max-src-conn-rate 10/90 overload <bad_hosts> flush global)
block log quick from <bad_hosts>
--

  i decided upon that rate after seeing what kind of rate i would
  get the spam.

  most people seem to be trying at a rate of 1 attempt per 2-4 seconds, 
  so maybe the default in the "program" is ~3.  a couple of smart people
  seem to have adjusted that to 1 try per 10s.

  caveat is that i currently haven't implemented a way to expire entries
  out, however until you get something fancier tested/implemented,
  some simple pf action like that above might fly

  jared

-- 

[ openbsd 3.8 GENERIC ( sep 10 ) // i386 ]

Follow-Ups:
- Re: is there a way to block sshd trolling?
  - From: Matthias Kilian

Prev by Date: Re: is there a way to block sshd trolling?
Next by Date: Re: Max number of states in pf? (100k? 200k? 1M?)
Previous by thread: Re: is there a way to block sshd trolling?
Next by thread: Re: is there a way to block sshd trolling?
Index(es):
- Date
- Thread

Visit your host, monkey.org