On Wed, 15 Aug 2001, David N Moore wrote: > Hi, > I have been poking around with google looking for some ideas > for a solution to this problem. Can you think of an easy way to block > all connections from a certain ip if it tries log in say 5 times and > fails? The idea being that it would stop someone from using a > dictionary-based attack if they had a user-name. > > Any input would be appreciated.
You could use swatch. This program searching files for a given patern and then react exucting command, or just writing warning to the console. You must write a short program that create ip named files in special directory where it stores number of failed connections, if the number written to file is bigger or equal to the max_failed_connect it would execute iptables -t filter -I input -s $IP -j DROP. If this max_failed_connect is smaller it would only increase it. -- Robert Magier
