On Mon, Nov 1, 2010 at 8:30 AM, onteria <onteria@scarletdevil.net> wrote:
quoted text
> I was checking my authlog today and noticed the following series of
> brute force login attempts:
>
> Nov B 1 01:37:04 solar sshd[8173]: Failed password for root from
> 58.211.1.163 port 8895 ssh2
> Nov B 1 01:37:04 solar sshd[10692]: Received disconnect from
> 58.211.1.163: 11: Bye Bye
> Nov B 1 01:37:06 solar sshd[6273]: Failed password for root from
> 58.211.1.163 port 9052 ssh2
> Nov B 1 01:37:06 solar sshd[21047]: Received disconnect from
> 58.211.1.163: 11: Bye Bye
>
> First off login as root is disabled, so not much they can do here, but
> I'd like to try and setup up some kind of throttling protection for
> these sorts of attacks. Unfortunately they keep changing ports, so the
> traditional port 22 protection isn't going to work. I'm wondering if
> there's something similar to spamd for sshd that can handle this sort of
> throttling before handing off to the real server, or if sshd has some
> functionality to do that on its own. Thanks ahead of time for any
> suggestions.
>
> - Onteria
>
>

There is sshguard in ports, or you can read the archives for some pf
max-src-conn-rate magic (or pf.conf(5)).