On Thu, 30 Sep 2004 02:13:02 -0400 Kevin Mark <[EMAIL PROTECTED]> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Wed, Sep 29, 2004 at 02:09:58PM -0500, Jacob S wrote: > > Every other day or so now I'm seeing attempts in my servers logs > > where some remote machine starts trying to guess a username/password > > combination to ssh into the server. They try everything from 'test', > > to'NOUSER', 'guest', 'root', etc., doing at least one login attempt > > per second, each time from a different source port. > > > > So, my question is this. Is there a way to tell ssh to refuse > > connections from an ip address after a certain number of failed > > login attempts, or is snort the only way to do something like this? > > So far I've been taking the manual approach, blocking the ip address > > with my firewall after I see it hitting the logs, but that can give > > them about an hour to play before I notice it (e-mailed to me by > > logcheck). > > > > Any suggestions? > Hi Jacob, > it happen to me a few months ago. someone suggested that I turn off > root login from remote hosts in sshd. Is that what you want? Hello, No, I already have root logins disabled via ssh. Now I'd like to get something setup that starts blocking ips automatically when it sees a certain number of failed logins. Not blocking based on username, but blocking based on ip addresses or even mac addresses (since I notice iptables is capable of filtering on mac addresses). Thanks, Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
