I wrote a script for just this thing a few months ago. The script I wrote, when executed from a cronjob, looks over the auth.log. When a dictionary attack is found, it puts the IP of the attacker in a peerguardian formatted file. From there, linblock (http://www.dessent.net/linblock/) is executed and adds an iptables rule for them.
If you would like to check it out, you can find it at http://www.pcolalug.org/smf/index.php?topic=2734.0 ~Daniel On 3/12/06, Felipe Figueiredo <[EMAIL PROTECTED]> wrote: > Hello, > > once in a while (say, every two weeks) I get a brute-force > login/password scan attempt in my server (i.e., a single ip tries > dictionary account names and passwords at random). SSH access is > needed by many users, and (RSA/DSA key)-only access is, at present > time, unwanted. So far none such attempt was lucky (to my knowlege), > but it always gives me creeps when I see unusually big logwatch > reports, and my contacts to sysadmins of originating networks are > usually ignored. > > Any ideas? > > Maybe there is a way to temporarily block ips upon such attempts (is > this a FAQ?), or maybe divert them like what portsentry does for > portscans? > >
