Hi! > Maybe there is a way to temporarily block ips upon such attempts (is > this a FAQ?), or maybe divert them like what portsentry does for > portscans?
A friend recommended http://www.csc.liv.ac.uk/~greg/sshdfilter/ but I didn't try it myself. It runs as a daemon and blocks the IP if several non-existant users have been tried. A logfile looks like this: Jan 17 21:27:12 localhost sshd[14378]: Failed keyboard-interactive/pam for root from ::ffff:xx.xx.xx.xx port 53273 ssh2 Jan 17 21:27:12 localhost sshdfilt[14377]: Chanced xx.xx.xx.xx, tries=2 Jan 17 21:27:12 localhost sshd[14378]: Postponed keyboard-interactive for root from ::ffff:xx.xx.xx.xx port 53273 ssh2 Jan 17 21:27:16 localhost sshd[14378]: Connection closed by ::ffff:xx.xx.xx.xx Jan 17 21:27:23 localhost sshdfilt[14377]: Illegal user name, instant block of xx.xx.xx.xx Jan 17 21:27:23 localhost sshd[14378]: Illegal user admin from ::ffff:xx.xx.xx.xx Jan 17 21:27:23 localhost sshd[14378]: input_userauth_request: illegal user admin Jan 17 21:27:23 localhost sshd[14378]: Failed none for illegal user admin from ::ffff:xx.xx.xx.xx port 53289 ssh2 where xx.xx.xx.xx is the IP address of the offender. Bye Hansi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
