Jeremy- SSH servers do not typically include this; however you can use denyhosts or fail2ban to block IPs with too many failed connection attempts. It's difficult to use anything other than IP to identify a brute-force attacker, since they can change almost everything else (client name, username, client auth key, etc.) and still be successful in a dictionary attack. These days, it is also common to see distributed ssh brute-force attacks, in which many (likely owned) computers will each try a small number of dictionary attacks, but from a large number of IPs. Connection Banning: Denyhosts: http://denyhosts.sourceforge.net/ fail2ban: http://www.fail2ban.org/wiki/index.php/OpenSSH You also may want to take a look at port knockers, which are silent daemons that can open a firewall only to one IP for a limited amount of time when it receives a series of tcp/udp connection attempts or (my favorite) in the case of fwknop, a pgp-signed packet that is authenticating and non-replayable. Traditional port knocking: https://help.ubuntu.com/community/PortKnocking Single packet authorization: fwknop: http://www.cipherdyne.org/fwknop/ Regards, Brad On Thu, Jul 9, 2009 at 9:45 AM, Jeremy C. Reed<reed@xxxxxxxxxxxxx> wrote: > I thought I saw a patch or feature for an sshd for blocking max > connections per client, max failed authentication attempts per client, > and/or max authentication attempts per client . Does anyone know about > that? > > Or do any less popular open source SSH servers provide that? (Keep counter > of connections, attempts, failures per client?) >
