sshd.conf

spying · #1 17th October 2005, 09:37 AM

Is there a way to temporary ban/ignore an ip after a number of failed requests?
I have set the allowable tries to 2 before it disconnects the user but i also want to block brute force attacks from escalating into a DoS attack. If the option is not available, i'm pretty surprised such a option is unavailable.

Zigzagcom · #2 17th October 2005, 09:53 AM

There is a script called "DenyHosts", google it, or you might get it via yum as well. I've played with it, and it seems to do the job...altough I am still trying to fully understand it....

rayyes · #3 17th October 2005, 10:41 AM

here's two i found on google. Haven't tried them so i cant say how well they work.
Authfail - http://www.bmk.bz/?p=60
BlockHosts - http://www.aczoom.com/cms/blockhosts/ <--- this one seems pretty good

spying · #4 17th October 2005, 07:19 PM

Will check them out. Thanks

gavinw6662 · #5 18th October 2005, 08:02 AM

have you looked into portsentry?? Nice program for blocking port scans.

centos_x · #6 30th October 2005, 12:24 PM

hosts.allow and hosts.deny in /etc

One problem with this is in hosts.allow you can state All and in deny put the IP in question, problem with this is if the culprit is dynamically assigned this is not a good defense. Just a matter of person picking up new IP from his ISP and can start over again.

Other option is setting deny to All and setting allow to specific IP's and/or Ranges, Problem with this is if you access from various locations. That do not have static IP's you will run into problems gaining access.