On Tuesday 21 December 2004 13:11, J. David Boyd wrote: > Turns out they have been, every night for weeks, (my bad), but now > with my modified script (based on your great contribution), they won't be > doing it more than once.
Well, my little script is very quick and dirty but after about a week of being hit multiple times every night, I haven't yet found it parsing logs wrong on my system but that doesn't mean much beyond my system. I am currently working with another much more elegant solution called sshd-sentry, trying to see if it is going to work better. It is perl, much better formed than mine, runs as a daemon and keeps constant watch on the logs unlike mine. It has a configurable threshold that you set and more than that many attempts to login and the IP gets banned. Also, automatically removes the ban after 1 day by default (also configurable), hopefully when they have moved on to another target. It also sends an email to notify the admin of the ban, and another feature, that I haven't worked with is that you can install a central server that takes nominations from various clients and keeps a unified block list. So, one bite at the apple on one machine gets you banned on all of them. Sshd-sentry was originally coded by Victor Danilchenko and is GPL so I can post my changes (which are very slight at this point). He is a MUCH better coder than am I, so I am hopeful this is going to work much better. I have it installed and running now and find myself in the weird position of actually hoping that someone tries to brute force my ssh soon so I can see if it works. :-0 If it works, I will throw a copy of it out on the Twiki so that others can take a look and see if it works better for them. -- Bryan Phinney
____________________________________________________ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com ____________________________________________________
