Jeremy-
SSH servers do not typically include this; however you can use
denyhosts or fail2ban to block IPs with too many failed connection
attempts. It's difficult to use anything other than IP to identify a
brute-force attacker, since they can change almost everything else
(client name, username, client auth key, etc.) and still be successful
in a dictionary attack. These days, it is also common to see
distributed ssh brute-force attacks, in which many (likely owned)
computers will each try a small number of dictionary attacks, but from
a large number of IPs.
Connection Banning:
Denyhosts:
http://denyhosts.sourceforge.net/ fail2ban:
http://www.fail2ban.org/wiki/index.php/OpenSSH You also may want to take a look at port knockers, which are silent
daemons that can open a firewall only to one IP for a limited amount
of time when it receives a series of tcp/udp connection attempts or
(my favorite) in the case of fwknop, a pgp-signed packet that is
authenticating and non-replayable.
Traditional port knocking:
https://help.ubuntu.com/community/PortKnocking Single packet authorization: fwknop:
http://www.cipherdyne.org/fwknop/ Regards,
Brad
On Thu, Jul 9, 2009 at 9:45 AM, Jeremy C. Reed<reed@reedmedia.net> wrote:
> I thought I saw a patch or feature for an sshd for blocking max
> connections per client, max failed authentication attempts per client,
> and/or max authentication attempts per client . Does anyone know about
> that?
>
> Or do any less popular open source SSH servers provide that? (Keep counter
> of connections, attempts, failures per client?)
>