I use port security/pam_af to help me against brute force login attacks. I use it both on FreeBSD and NetBSD. It works by being first in the "auth" list of the PAM config file. It hooks into pam_sm_authenticate(), where it registers a (potentially failed) login attempt. If the counter is too high, it blocks the login. Then later, if pam_am_setcred() is called, it registers the login attempt as success by resetting the login attempt counter. I have observed a significant difference in behaviour on both OSes, and I think FreeBSD is significantly less secure than it could (and should) be. Sshd is logging large amounts of login attempts. However, hardly any of the hosts involved end up blocked by pam_af. This can only mean that pam_sm_authenticate() isn't always called for all login attempts. It seems like it is only called for login attempts with actually existing users. NetBSD's sshd, on the other hand, nicely registers these attempts and blocks the offending hosts. In my opinion, it would be better if FreeBSD did the same. It would make tools like pam_af much more effective. I first noticed this on FreeBSD 6.1, but it is unchanged in 8.0. I notice another port, security/pam-abl, which at a glance appears to work similarly so it would fail similarly. Fix: Sorry, I don't know what diversion has grown between both *BSD's sshd. Diffs appear to be large though. -Olaf Seibert. -- How-To-Repeat: Install security/pam_af and observe its statistics database. See that almost none of the hosts that sshd logs are in it.
This is a flaw in the way PAM is integrated into OpenSSH and would be very difficult to fix. If you only use traditional passwords and not some sort of interactive or multi-factor authentication, you can turn ChallengeReponseAuthentication off and PasswordAuthentication on in /etc/ssh/sshd_config and see if it helps.
Is NetBSD using PasswordAuthentication by default?