> On Wed, 2005-04-06 at 07:15 +0000, Edwin D. Vinas wrote: >> hello, >> >> shown below is snapshot of too many illegal attempts to login to my >> server from a suspicious hacker. this is taken from the >> "/var/log/auth.log". my question is, how do i automatically block an >> IP address if it is attempting to guess my login usernames? can i >> configure the firewall to check the instances a certain IP has >> attempted to access/ssh the sevrer, and if it has failed to login for >> about "x" number of attempts, it will be blocked automatically? >> >> thank you in advance! >> >> -edwin >> >> ---------------- >> Mar 26 05:00:00 pawikan newsyslog[11879]: logfile turned over ...etc.
> This is one of those things we all have to live with. > I once had the idea to start an Open Source Project for making an > administrators' tool that would work as follows. The tool would collect these > records and send the information to a central server. I would be willing to > donate and administer that server. The server would then track where these > attacks are coming from. If it becomes apparent that the attacks are coming > from a lone idiot doing one or two amateurish crack attempts, nothing further > need be done. On the other hand, if it becomes apparent that the source is > making repeated attacks on many machines, then a co-ordinate message would go > out to all administrators using the tool. This could be automated. We could > hope that many tens of thousands of BSD administrators would be using this > tool (on many hundreds of thousands of BSD machines). All the machines > administered by users of this tool would then launch a concerted Denial Of > Service attack on the cracker address. > Now, how about that? > Of course, we could also try to do this nicely; for example, we could send > automated notifications to the ISPs servicing the offending machines, or to > ICANN, or to the police and other authorities in the countries where this > kind of behavior is illegal, and so on. However, that would certainly be > quite ineffective, and much less fun. > Or we could combine these strategies. We could notify the ISPs that the > attacks are coming from one of their clients, informing them that a Tsunami > DOS shall follow if they do not put a stop to the attacks. > Just an idea... > Benjamin Rossen --------------------------------------------- Sounds fun but opens the door for every local user with ssh access to DOS the machine he is on. I am not that found of the idea. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
