On Wed, Sep 29, 2004 at 04:10:58PM -0400, Nicolas wrote: > > > So, my question is this. Is there a way to tell ssh to refuse > > connections from an ip address after a certain number of failed > > login attempts, or is snort the only way to do something like this? > > So far I've been taking the manual approach, blocking the ip address > > with my firewall after I see it hitting the logs, but that can give > > them about an hour to play before I notice it (e-mailed to me by > > logcheck). > > > > Any suggestions? > > If you dont have to much user who log in your server, you can allow > only them from specific IP to log in. Or you can disable the password > facility and only use keys (we do it this way at the job, It's also > what I do at home).
You'll want to be careful about how you disable password authentication and which versin of SSH you're using. Recent Debian ssh packages automatically enable the UsePAM directive when upgrading from older package versions (include the version found in woody currently). This can lead to password authentication being turned back on, even though the admin turned it off. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=250369 -- Jamin W. Collins Remember, root always has a loaded gun. Don't run around with it unless you absolutely need it. -- Vineet Kumar -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
