this has allready been done, and it works well. use the tarball, the .rpm has some dependency issues with itself :-) http://denyhosts.sourceforge.net/ Cheers Szemir
On July 14, 2006 09:44, Wendell Nichols wrote: > I too get a lot of this crap. The hosts that do this either belong to > hackers, or have been compromised by hackers. Either way, I've started > blacklisting them. Right now it is manual, but I'm going to write a > script to troll the syslog and automatically blacklist any host that > gets three wrong passwords on sshd. > I don't mind publishing the blacklist for others to use, but I suspect > that this is already being done. Anyone know anything about that? > wcn > > Peter Van den Wildenbergh wrote: > > Hi All : > > > > I've seen a lot of these in my logs lately: > > Jul 5 04:25:13 devenv sshd[21935]: Invalid user accent from > > 220.117.205.100 Jul 5 04:25:14 devenv sshd[21937]: Invalid user access > > from 220.117.205.100 Jul 5 04:25:16 devenv sshd[21939]: Invalid user > > account from 220.117.205.100 Jul 5 04:25:18 devenv sshd[21941]: Invalid > > user acount from 220.117.205.100 Jul 5 04:25:20 devenv sshd[21943]: > > Invalid user ace from 220.117.205.100 Jul 5 04:25:22 devenv sshd[21945]: > > Invalid user addict from 220.117.205.100 Jul 5 04:25:24 devenv > > sshd[21947]: Invalid user address from 220.117.205.100 Jul 5 04:25:26 > > devenv sshd[21949]: Invalid user adept from 220.117.205.100 Jul 5 > > 04:25:28 devenv sshd[21951]: Invalid user admit from 220.117.205.100 Jul > > 5 04:25:29 devenv sshd[21953]: Invalid user admision from 220.117.205.100 > > Jul 5 04:25:31 devenv sshd[21955]: Invalid user adult from > > 220.117.205.100 Jul 5 04:25:33 devenv sshd[21957]: Invalid user advance > > from 220.117.205.100 Jul 5 04:25:35 devenv sshd[21959]: Invalid user > > advertise from 220.117.205.100 Jul 5 04:25:37 devenv sshd[21961]: > > Invalid user advice from 220.117.205.100 Jul 5 04:25:39 devenv > > sshd[21963]: Invalid user afraid from 220.117.205.100 Jul 5 04:25:41 > > devenv sshd[21965]: Invalid user agency from 220.117.205.100 Jul 5 > > 04:25:43 devenv sshd[21967]: Invalid user age from 220.117.205.100 Jul 5 > > 04:25:44 devenv sshd[21969]: Invalid user agent from 220.117.205.100 Jul > > 5 04:25:46 devenv sshd[21971]: Invalid user ago from 220.117.205.100 Jul > > 5 04:25:48 devenv sshd[21973]: Invalid user agree from 220.117.205.100 > > Jul 5 04:25:50 devenv sshd[21975]: Invalid user agreenent from > > 220.117.205.100 > > > > > > After a while the IP address change but the attack is simular > > a dictionary of names with a couple common BAD passwords like > > temp, root, password... per user name. > > > > I got an IPCop firewall is there any way I can automate a temporarly > > block (DROP package IP table rule) for source address after 3 > > unsuccessful attempts from the same IP? The ssh server is sitting behind > > the IPCop. > > > > Snort maybe? Although I don't know that product. > > Any 'known' easy plug-ins for IPCop? > > > > Thanks for all tips and advice > > > > Peter > > > > _______________________________________________ > > clug-talk mailing list > > [email protected] > > http://clug.ca/mailman/listinfo/clug-talk_clug.ca > > Mailing List Guidelines (http://clug.ca/ml_guidelines.php) > > **Please remove these lines when replying > > _______________________________________________ > clug-talk mailing list > [email protected] > http://clug.ca/mailman/listinfo/clug-talk_clug.ca > Mailing List Guidelines (http://clug.ca/ml_guidelines.php) > **Please remove these lines when replying _______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
