sshd behaviour when people are trying to break in

Daniel Kahn Gillmor dkg-openssh.com at fifthhorseman.net
Wed Nov 15 07:55:42 EST 2006


hi Mark--

On November 14, markb at ordern.com said:

> It would be good if sshd could detect such break in attempts and
> simply not accept the connections. I can imagine having a simple
> mechanism that counts the number of login attempts from a given IP
> address and if so many are attempted in a short time period, that IP
> address is blacklisted for a while.

I don't think this functionality belongs in openssh.

This sort of policy has been implemented in a more generalized way
than ssh could do on it's own.  There are programs which read
logfiles, and block IP addresses based on the contents.  One such
implementation is fail2ban:

  http://fail2ban.sourceforge.net/

which comes with a standard set of rules for dealing with openssh
logs, and blocking IPs using the linux netfilter rulesets.  I'm sure
it's adaptable to pf or whatever other filtering setup you are already
using.

hth,

	--dkg


More information about the openssh-unix-dev mailing list