badeguruji <[EMAIL PROTECTED]> writes: > Nov 9 03:24:51 <myserver> sshd[15822]: Did not > receive identification string from 218.76.217.234 > > Nov 10 16:55:19 <myserver> sshd[29183]: Did not > receive identification string from 82.207.116.209 > Nov 10 16:58:58 <myserver> sshd[21261]: Failed > password for root from 82.207.116.209 port 35194 ssh2
We all have to deal with those at times. As others have mentioned, using state tracking options with an overload table is one useful way to deal with those. The short recipe at <http://home.nuug.no/~peter/pf/en/bruteforce.html> one of the more popular parts of my PF tutorial and should give you an idea. And of course, if you have the time and energy, sending a canned answer like this to whoever whois tells you is in charge may earn you a few thank you notes as well as a depressing number of bounces for abuse@ and similar RFC mandated addresses: "Dear Colleague, As can be seen from the log excerpts below, the host $bruteforcer has made repeated attempts at accessing hosts in our network (in this case $targethostname, at address $targetaddress - times logged are in $timezone). This is consistent with a variety of canned attacks and worms. We would appreciate your cooperation in offlining the perpetrator. Yours sincerely, $yourname [log fragment]" -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
