SSH scans vs connection ratelimiting
Pieter de Boer
pieter at thedarkside.nl
Sun Aug 20 12:50:16 UTC 2006
Lyndon Nerenberg wrote:
> Take a look at /usr/ports/security/bruteforceblocker. It monitors the
> system log for failed ssh logins, and blocks the sites via pf. It's
> reasonably configurable, and works very well. I've been running it for
> months without trouble.
I've written a similar script which worked okay for the most part.
Probably not as fancy, but a la.
Point is, I'd prefer to:
1) Know why the attack still works although I'm ratelimiting to 3
connections per minute and MaxAuthTries is set to 3 (but if it was still
the default value 6, it should've triggered, too)
2) Fix it at the root cause, probably OpenSSH?
--
Pieter
More information about the freebsd-security
mailing list