We used to use some little homebrew project called "bfd" (brute force detection) that would basically check the logs every 10 minutes, see if there were a lot of invalid logins from a particular IP and then automatically create a firewall rule to drop all packets from that IP. This would remain in effect until the server was rebooted. These days, we mostly just rely on snort and snortsam and they take care of this for us.
Chris On Thu, Mar 5, 2009 at 1:03 PM, karlhaines <k...@nashvilleproweb.com> wrote: > > I'm getting crazy brute force attempts from some annoying hacker that > looks like this in my logs: > > Jan 21 21:43:22 server sshd[16419]: Invalid user test from > 221.238.19.46 > Jan 21 21:43:22 server sshd[16421]: Invalid user brown from > 221.238.19.46 > Jan 21 21:43:23 server sshd[16424]: Invalid user liza from > 221.238.19.46 > Jan 21 21:43:24 server sshd[16426]: Invalid user lois from > 221.238.19.46 > Jan 21 21:43:24 server sshd[16428]: Invalid user tester from > 221.238.19.46 > Jan 21 21:43:24 server sshd[16429]: Invalid user cyan from > 221.238.19.46 > Jan 21 21:43:25 server sshd[16432]: Invalid user lizabeth from > 221.238.19.46 > Jan 21 21:43:26 server sshd[16434]: Invalid user lola from > 221.238.19.46 > Jan 21 21:43:26 server sshd[16436]: Invalid user tester from > 221.238.19.46 > > I had this problem before and someone suggested an easy fix, some > little app I installed to block these guys, who has a better memory > than me that could point me to that app again?? Thanks. > > Karl > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to nlug-talk@googlegroups.com To unsubscribe from this group, send email to nlug-talk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en -~----------~----~----~----~------~----~------~--~---