I've upped the block time to 24 hours because I've noticed the same IPs come back and try again.
-----Original Message----- From: Craig FALCONER [mailto:[EMAIL PROTECTED] Sent: Wednesday, 18 January 2006 7:44 a.m. To: [email protected] Subject: RE: Hacking attempt - how can I spot this earlier? Following this discussion, I've installed fail2ban on horse. The block is for one hour, after 5 failed login attempts within 10 minutes. Overnight, 25 different IPs were blocked, mostly in china and korea. Its worth doing! -----Original Message----- From: Hadley Rich [mailto:[EMAIL PROTECTED] Sent: Monday, 16 January 2006 6:34 p.m. To: [email protected] Subject: Re: Hacking attempt - how can I spot this earlier? On Friday 13 January 2006 11:58, Jim Cheetham wrote: > On Fri, Jan 13, 2006 at 11:53:30AM +1300, Dave van Leeuwen wrote: > > > (1) Is there some desktop monitoring utility that will immediately > > > notify me of suscpious behaviour? I'm rather disturbed that it's > > > taken me 4 days to notice this. > > > > daemonshield runs as a daemon watching sshd logs and pam logs for > > failed logins. If these reach a threshold then an IPtables rule > > blocks the ip for a given period of time. > > DenyHosts is another program doing a similar task, but using > tcpwrappers instead of IPtables. It allows you to expire blocked hosts > after a few days ... Just so you have another option -- fail2ban is another program doing the same thing as the above two. The nice thing about it for me is that it's in the Debian repository. HTH hads -- Traffic signals in New York are just rough guidelines. -- David Letterman
