# Blocking brute force OpenSSH attacks



## NewGuy (Nov 9, 2014)

I think it is worth mentioning that the DenyHost[1] utility, which proactively blocks bruteforce attacks against OpenSSH, has been making headway on FreeBSD. The software now works with the PF packet filter, working to block brute force attacks at the firewall level rather than the tcp_wrapper level.

At the moment I'm running DenyHost on a TrueOS server and it is working as advertised. All I had to do was uncomment PF support in the configuration file and start the DenyHost service.

[1] http://denyhost.sourceforge.net/news.php


----------



## woodsb02 (Nov 12, 2014)

Do you know if it also has IPFW support?


----------



## SirDice (Nov 12, 2014)

What makes this one better or different compared to security/sshguard?


----------



## NewGuy (Nov 12, 2014)

woodsb02 said:


> Do you know if it also has IPFW support?



It does not.



SirDice said:


> What makes this one better or different compared to security/sshguard?



I haven't used sshguard so I can't answer that in an authoritative way. However, based on the summary provided by FreshPorts, the two tools sound very similar. I think the main difference, from what I read in sshguard's summary, is that DenyHost is configured entirely through a configuration file at run time. In contrast, it looks like sshguard needs to be configured at build/compile time to support specific blocking methods (hosts file, PF, etc.). So I suppose the main difference would be that to get the functionality you want from sshguard you may need to re-compile it from source/ports which is inconvenient. With DenyHost you can just comment/uncomment a line in the configuration file to enable/disable features like PF support.


----------

