[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: is there a way to block sshd trolling?

On Fri, Sep 23, 2005 at 11:40:36AM -0700, John Marten wrote:
> "input_userauth_request: ivalid user somename"
> "Failed password for invalid user somename"

  haven't read the entire thread yet, so doubtless this has
  come up, but i use:

e =                     sis2

table   <bad_hosts>     persist         { }

pass in on $e inet proto tcp from any to (carp0:0) port 22 synproxy state flags S/SA tag IBSSH
pass in log on $e tagged IBSSH keep state (max-src-conn-rate 10/90 overload <bad_hosts> flush global)
block log quick from <bad_hosts>

  i decided upon that rate after seeing what kind of rate i would
  get the spam.

  most people seem to be trying at a rate of 1 attempt per 2-4 seconds, 
  so maybe the default in the "program" is ~3.  a couple of smart people
  seem to have adjusted that to 1 try per 10s.

  caveat is that i currently haven't implemented a way to expire entries
  out, however until you get something fancier tested/implemented,
  some simple pf action like that above might fly



[ openbsd 3.8 GENERIC ( sep 10 ) // i386 ]