Every other day or so now I'm seeing attempts in my servers logs where some remote machine starts trying to guess a username/password combination to ssh into the server. They try everything from 'test', to 'NOUSER', 'guest', 'root', etc., doing at least one login attempt per second, each time from a different source port.
So, my question is this. Is there a way to tell ssh to refuse connections from an ip address after a certain number of failed login attempts, or is snort the only way to do something like this? So far I've been taking the manual approach, blocking the ip address with my firewall after I see it hitting the logs, but that can give them about an hour to play before I notice it (e-mailed to me by logcheck). Any suggestions? TIA, Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
