The ones I see in my logs tend to be pretty lame attempts (not sure what the tool is). Are you seeing more than a few in a minute? I just never see this as very sophisticated, and kind of live with it, although I would like to block it too; I don't have the option of going all key with my users.
We typically see 10-50 attempts spaced 2-5 seconds apart from each IP address. We average 3 attacks per day, lowest being 0 attacks and highest being 6 attacks daily so far.
Currently, a script runs every few minutes that looks for these and updates IPF and iptables, by default blocking with mask 255.255.0.0. Useful sites that get blocked accidently are adjusted by hand (usually masking 255.255.255.0). Luckily our user names don't seem to correspond with the name lists used in the attacks, but that could change at any time.
I've been tracking the list of user names (1437 as of today) used in the attacks if anyone wants them.
--
---------------------------------------------------------------------------
Mark Leisher
Computing Research Lab Frantic orthodoxy is never rooted in
New Mexico State University faith but in doubt. It is when we are
Box 30001, MSC 3CRL unsure that we are doubly sure.
Las Cruces, NM 88003 -- Reinhold Niebuhr (1892-1971)
