On Thursday 16 June 2005 10:05 am, Thomas Stivers wrote: > I have been getting a huge number of attempts to log into my box via ssh > which fail with invalid username entrys in the logs. Is there already a > package which will let me look through the logs and dynamically add > iptables rules to drop anything from these scanning addresses after > something like 3 attempts. I know I can set up hosts.allow and > hosts.deny to only allow ssh in from particular ip's, but I'd rather not > do that. Any suggestions would be appreciated.
Take a look at DenyHosts (http://denyhosts.sourceforge.net/). It basically uses tcp_wrappers to block all such attempts. There is a mini-howto/article up on http://rootprompt.org/article.php3?article=8735. Note that there are also a number of methodologies which accomplish the same thing using iptables...One such example is at https://lists.netfilter.org/pipermail/netfilter/2005-June/060914.html. TThe he extension of this would be to use something like port knocking (http://www.portknocking.org) to protect ssh and other services. -- --Brad ======================================================================== Bradley M. Alexander | IA Analyst, SysAdmin, Security Engineer | storm [at] tux.org Debian/GNU Linux Developer | storm [at] debian.org ======================================================================== Key fingerprints: DSA 0x54434E65: 37F6 BCA6 621D 920C E02E E3C8 73B2 C019 5443 4E65 RSA 0xC3BCBA91: 3F 0E 26 C1 90 14 AD 0A C8 9C F0 93 75 A0 01 34 ======================================================================== Smoking kills, and if you're killed, you've lost a very important part of your life." -- Anti-smoking spokesperson Brooke Shields -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
