On Wed, Dec 03, 2008 at 07:43:26PM -0600, Jeffrey Goldberg wrote: > It's not a big issue, but I'm wondering if there is a DNSBl that lists > IPs that are engaging in brute force ssh attacks. And if there is > such a list, is there a way to integrate that information into a > firewall or sshd. > > As I've said this really isn't a big issue for me, as the brute force > attempts at sshd are nothing but an annoyance as I review logs. > > The attacks that I'm seeing appear to be coordinated and distributed. > That is, there will be one attempt on username "fred" from one IP > immediately followed by an attempt on "freddy" from another IP > followed by an attempt on "fredrick" from a third source and so on.
I don't know of any DNSbl type service, but I am using DenyHosts with very great success. Its synchronisation feature allows participating instances of the script to share IP addresses of misbehaving hosts, so as soon as an address hits the database, it's only a matter of an hour or so before your instance can start blocking it. The basic setup uses TCP wrappers to block offending hosts, but I am using the datafile it maintains as a file-based table in pf, which I reload periodically from a cronjob. Dan -- Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \
Description: PGP signature