OpenBSD's PF firewall will let you do this, with any port. More than X
connections/sec from a given IP will let you add that src IP to a table,
which you can then ban, or whatever. Look for the <overload> operator
here: <http://www.openbsd.org/faq/pf/filter.html#stateopts>
--Alex
On Thu, 2005-10-20 at 11:42 -0600, Paul Berube wrote:
Hi.
First off, my personal disclaimer: I'm not a (real) sysadmin, nor a
security or networking or even a *nix expert, so hopefully I'm not
missing something obvious. I've looked through the ssh man page and
googled, but I didn't find anything relevent. Anyway.
People are running attacks on my server... they look like dictionary
attacks on usernames and passwords, and I'm sure that any of you who
look at your logs have seen the same thing on your machines. I have
reverse-dns checking turned on, and have everyone except select users
blocked by denygroups and denyusers. I end up with large daily logs
filled with failed login attempts, user not allowed messages, and
"possible breaking attempt" messages from reverse-dns failures (eg, more
than 3800 entries yesterday, from 1 or 2 IPs).
What I'd like is a system configuration where I just drop all packets
from hosts that cause one of these messages for the next, say, 5 min.
This way, a login failure from a legitimate user is not a catastrophic
event for them, but greatly limits the ability of attackers to hammer on
ssh. It seems like this sort of setup/process should have a well-known
name (that I am ignorant of).
Any advice, suggestions, or pointers would be appreciated!
Thanks.
--Paul
--
Alex Gottschalk agottschalk@letstalk.com
IT Manager/Sysadmin Office: (415) 357-7635
LetsTalk.com Cell: (415) 517-4982
signature.asc
Description: This is a digitally signed message part
