block sshd attacks with ipfw on mac osx 10.5.6

return to  


Leaving sshd active and open to the internet at large is risky.

However, you can take a few very basic steps to permit access and still protect yourself.

First, move the sshd port on your firewall from 22 to some random high port.  Security through obfuscation is no security at all.  However, most current autobots do not portscan and adjust once they find sshd on a high port.  They should.

Second, activate this simple plist to watch your sshd failed logins, and block abusive IPs after a certain number of attempts.  I like five, myself.

All credit to macosx forum user Iras for posting a totally nonfunctional script.  Kudos to others in the thread for almost making it work.  Big shout out to me for putting the last nail in the coffin and posting it here for you:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">

<plist version="1.0">








          substr( $5, 0, 4) == "sshd" &amp;&amp; $9 == "failure" {

                ip = $13

                count[ip] += 1


          END {

               if (system("ipfw list | cut -d ' ' -f 1 | grep 00101") == 0) {


s = "ipfw delete 00101; ";

} else {

s = "";

sep = "ipfw add 101 deny src-ip "

                for (ip in count) {

                   if (count[ip] &gt; 5) {

                      s = s sep ip

                      sep = ", "

                      print count[ip] " failed attempts from " ip

















The ipfw rules are removed once the login failures are purged from your logs; logrotation dependent.

ouch:LaunchAgents steve$ ls -al /Library/LaunchAgents/macosxhints.denyhosts.plist

-rw-r--r--  1 root  wheel  1328 May  5 22:29 /Library/LaunchAgents/macosxhints.denyhosts.plist

ouch:LaunchAgents steve$ sudo launchctl load /Library/LaunchAgents/macosxhints.denyhosts.plist

Original macosx link.

goto index.html