<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Ever since I had to move to Comcast I have been having the same problem
as you, I had a new record a couple nights ago of over 10,000 trys from
one IP which really fills up the logs and logwatch something fierce. I
can't use hosts.allow or .deny because I never know where I am going to
be logging in from. With Kyle's response to you I was motivated to
look for someone else's work and try to use it. Doing a google search
for "ssh attempt script" brings up the following article as the first
hit:<br>
<a class="moz-txt-link-freetext" href="http://www.debian-administration.org/articles/250">http://www.debian-administration.org/articles/250</a> titled
"Automatically Blocking SSH Attackes From Script Kiddies?"<br>
While the article addresses Debian I am going to try the source with
other distro's. The article good and there are also a bunch of tools
mentioned in the postings. I think I am going to try fail2ban as soon
as I get the chance. The scripts can run as a cron job or as a daemon
so they can do it in real time, and you can set the threshold of when
the IP gets locked out. <br>
<br>
There was also an article in SysAdmin mag. that talked about using
scripts and email to add your current address to hosts.allow and when
you disconnect removing it, I don't have it right in front of me but if
you are interested in that route just ask and I will find it.<br>
<br>
Eric<br>
<br>
Bob Blick wrote:
<blockquote
cite="mid19805.66.52.191.4.1129742296.squirrel@webmail.sonic.net"
type="cite">
<blockquote type="cite">
<pre wrap="">What about some dynamic iptables rules using the TARPIT target?
Watch the logs for failed login attempts, or logins that don't exist
on your system, and then tarpit 'em.
</pre>
</blockquote>
<pre wrap=""><!---->
First, thanks to all who have responded. Lots of ideas I would never have
thought of myself.
My original idea was to patch or find a patched version of opensshd, but
after reading all the great replies, that doesn't seem like the best way
to go.
Denying, either through hosts.deny or iptables, seems like the best thing
to do, with /var/log/messages as the source.
I don't want to block an ip address on just one bad attempt. I make
spelling errors and so do others.
But I also want to be fast responding, so a cron job that analyzes the log
doesn't appeal to me.
For inspiration I'm going to search and see what other people have done
and then see if I can put together something in perl that will work in
realtime, tolerate a few bad login attempts, and then append the
hosts.deny file.
I'll try it on my test machine first :) And if it works I'll pass it along.
Cheerful regards,
Bob
_______________________________________________
talk mailing list
<a class="moz-txt-link-abbreviated" href="mailto:talk@nblug.org">talk@nblug.org</a>
<a class="moz-txt-link-freetext" href="http://nblug.org/cgi-bin/mailman/listinfo/talk">http://nblug.org/cgi-bin/mailman/listinfo/talk</a>
</pre>
</blockquote>
</body>
</html>