I too get a lot of this crap. The hosts that do this either belong to hackers, or have been compromised by hackers. Either way, I've started blacklisting them. Right now it is manual, but I'm going to write a script to troll the syslog and automatically blacklist any host that gets three wrong passwords on sshd. I don't mind publishing the blacklist for others to use, but I suspect that this is already being done. Anyone know anything about that? wcn
Peter Van den Wildenbergh wrote: > Hi All : > > I've seen a lot of these in my logs lately: > Jul 5 04:25:13 devenv sshd[21935]: Invalid user accent from 220.117.205.100 > Jul 5 04:25:14 devenv sshd[21937]: Invalid user access from 220.117.205.100 > Jul 5 04:25:16 devenv sshd[21939]: Invalid user account from 220.117.205.100 > Jul 5 04:25:18 devenv sshd[21941]: Invalid user acount from 220.117.205.100 > Jul 5 04:25:20 devenv sshd[21943]: Invalid user ace from 220.117.205.100 > Jul 5 04:25:22 devenv sshd[21945]: Invalid user addict from 220.117.205.100 > Jul 5 04:25:24 devenv sshd[21947]: Invalid user address from 220.117.205.100 > Jul 5 04:25:26 devenv sshd[21949]: Invalid user adept from 220.117.205.100 > Jul 5 04:25:28 devenv sshd[21951]: Invalid user admit from 220.117.205.100 > Jul 5 04:25:29 devenv sshd[21953]: Invalid user admision from 220.117.205.100 > Jul 5 04:25:31 devenv sshd[21955]: Invalid user adult from 220.117.205.100 > Jul 5 04:25:33 devenv sshd[21957]: Invalid user advance from 220.117.205.100 > Jul 5 04:25:35 devenv sshd[21959]: Invalid user advertise from > 220.117.205.100 > Jul 5 04:25:37 devenv sshd[21961]: Invalid user advice from 220.117.205.100 > Jul 5 04:25:39 devenv sshd[21963]: Invalid user afraid from 220.117.205.100 > Jul 5 04:25:41 devenv sshd[21965]: Invalid user agency from 220.117.205.100 > Jul 5 04:25:43 devenv sshd[21967]: Invalid user age from 220.117.205.100 > Jul 5 04:25:44 devenv sshd[21969]: Invalid user agent from 220.117.205.100 > Jul 5 04:25:46 devenv sshd[21971]: Invalid user ago from 220.117.205.100 > Jul 5 04:25:48 devenv sshd[21973]: Invalid user agree from 220.117.205.100 > Jul 5 04:25:50 devenv sshd[21975]: Invalid user agreenent from > 220.117.205.100 > > > After a while the IP address change but the attack is simular > a dictionary of names with a couple common BAD passwords like > temp, root, password... per user name. > > I got an IPCop firewall is there any way I can automate a temporarly block > (DROP package IP table rule) for source address after 3 unsuccessful attempts > from the same IP? > The ssh server is sitting behind the IPCop. > > Snort maybe? Although I don't know that product. > Any 'known' easy plug-ins for IPCop? > > Thanks for all tips and advice > > Peter > > _______________________________________________ > clug-talk mailing list > [email protected] > http://clug.ca/mailman/listinfo/clug-talk_clug.ca > Mailing List Guidelines (http://clug.ca/ml_guidelines.php) > **Please remove these lines when replying > > _______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
