On Wed, Jan 18, 2006 at 09:58:32AM +1300, Craig FALCONER wrote: > I've upped the block time to 24 hours because I've noticed the same IPs come > back and try again.
I block for 5 days :-) But also make sure you maintain a decent whitelist for genuine users, who will occasionaly make enough login attempts to block themselves. That's one reason why I'm happy with using tcpwrappers instead of iptables - you can still get to some other services to confirm that "it's only ssh that's stopped working". On the other hand, if there was a correlation between ssh hacks and spam runs, I'd probably change my mind ... -jim
