Bug 965

Summary: auto disable/block of ip address
Product: Portable OpenSSH Reporter: Jeremiah Jahn <jeremiah>
Component: sshdAssignee: OpenSSH Bugzilla mailing list <openssh-bugs>
Status: CLOSED WONTFIX    
Severity: enhancement    
Priority: P2    
Version: 3.9p1   
Hardware: All   
OS: Linux   

Description Jeremiah Jahn 2004-12-21 01:38:26 AEDT 
I would like to see the ssh deamon stop allowing attempts to connect from an ip
address after a certain number of failures. My logs tend to fill up after a
night of script kiddy hell. 

1) There should be a way to turn this off/on
2) A way to get the list and re-enable/remove an ip address.
3) A attempt count setting so that after X failures autoblocking happens 

I've grown very accustomed to something similar on AS400's.  It very hanndy to have.

thanx,
-jj-
Comment 1 Damien Miller 2004-12-21 09:31:11 AEDT 
We won't implement reflexive blocking, it can be easily implemented by scanning
logs (i.e not in ssh) and there are too many ways it can be turned into a
denial-of-service. 

If you really want to do this, there are scripts that will parse logfiles and
add addresses found to a firewall rule.
Comment 2 Darren Tucker 2004-12-21 09:40:28 AEDT 
I'll also add that if you really want this and your sshd is built with PAM then
then you could implement this policy in a PAM module (eg hack pam_tally to take
notice of PAM_RHOST).
Comment 3 Darren Tucker 2005-01-11 18:30:49 AEDT 
Incidentally, if folks running PAM really want to do this, there's now a pam_abl
module that does it: http://www.hexten.net/sw/pam_abl/
Comment 4 Darren Tucker 2006-10-07 11:38:17 AEST 
Change all RESOLVED bug to CLOSED with the exception of the ones fixed post-4.4.