I was poking around my system today and noticed a log that I never knew existed.
/var/log/pwdfail/* Much to my surprise, I see all these entries (hundreds) from some 'blankety blank blank' trying to hack my server!! daevid pwdfail # cat current Sep 17 13:00:25 [sshd(pam_unix)] authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.103.229.40 Sep 17 13:00:27 [sshd] Failed password for invalid user webmaster from 61.103.229.40 port 49431 ssh2 Sep 17 13:00:29 [sshd(pam_unix)] authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.103.229.40 Sep 17 13:00:31 [sshd] Failed password for invalid user oracle from 61.103.229.40 port 49556 ssh2 Sep 17 13:00:33 [sshd(pam_unix)] authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.103.229.40 Sep 17 13:00:35 [sshd] Failed password for mysql from 61.103.229.40 port 49660 ssh2 Sep 17 13:00:37 [sshd(pam_unix)] authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.103.229.40 user=root Sep 17 13:00:39 [sshd] Failed password for root from 61.103.229.40 port 49769 ssh2 Sep 17 13:00:41 [sshd(pam_unix)] authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.103.229.40 user=root Sep 17 13:00:43 [sshd] Failed password for root from 61.103.229.40 port 49879 ssh2 I figure there should be a script someone has written that will parse this and automatically add these unique IP addresses (sans redundant ones) to my /etc/shorewall/blacklist Google for "shorewall pwdfail" doesn't have very many results though, and the ones there are in german or something. -- gentoo-user@gentoo.org mailing list
