On Wed, 29 Sep 2004 16:13:10 -0500, Jacob S <[EMAIL PROTECTED]> wrote: > On Wed, 29 Sep 2004 16:10:58 -0400 > Nicolas <[EMAIL PROTECTED]> wrote: > > > > > > So, my question is this. Is there a way to tell ssh to refuse > > > connections from an ip address after a certain number of failed > > > login attempts, or is snort the only way to do something like this? > > > So far I've been taking the manual approach, blocking the ip address > > > with my firewall after I see it hitting the logs, but that can give > > > them about an hour to play before I notice it (e-mailed to me by > > > logcheck). > > > > > > Any suggestions? > > > > If you dont have to much user who log in your server, you can allow > > only them from specific IP to log in. Or you can disable the password > > facility and only use keys (we do it this way at the job, It's also > > what I do at home). > > That would work for the server that's currently having problems, but not > all of my servers, unfortunately. > > > Nic Cola > > > > P.S. > > Just for the fun of it, you can also tarpit the IP of the script > > kiddy ;o) > > I'd love to, but I need a way to automate it to make it practical. I'm > noticing that very few of these attempts are coming from cable or dsl > users. Most of them seem to be coming from some remote machine inside a > large webhosting company. I haven't been able to determine if the box > was taken over by crackers or the users are abusing it; though my guess > is crackers. Either way they're a pest. >
I've read this reported some times ago on the full-disclosure mailing list, someone was worried about a new SSH exploit, i don't recall the details but seems there's a script that tries some weak username/password combinations... Andrea -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
