Richard Creighton wrote: > Just about every day, often several times a day, my logs include hours > of log entries that look like this: > > Jul 16 00:35:25 raid5 sshd[6966]: Invalid user admin from 83.18.244.42 > Jul 16 00:35:30 raid5 sshd[6968]: Invalid user admin from 83.18.244.42 > Jul 16 00:35:35 raid5 sshd[6972]: Invalid user admin from 83.18.244.42 > Jul 16 00:35:40 raid5 sshd[6974]: Invalid user admin from 83.18.244.42 > Jul 16 00:35:56 raid5 sshd[6981]: Invalid user test from 83.18.244.42 > Jul 16 00:36:01 raid5 sshd[6983]: Invalid user test from 83.18.244.42 > Jul 16 00:36:06 raid5 sshd[6985]: Invalid user webmaster from 83.18.244.42 > Jul 16 00:36:11 raid5 sshd[6987]: Invalid user username from 83.18.244.42 > Jul 16 00:36:16 raid5 sshd[6989]: Invalid user user from 83.18.244.42 > Jul 16 00:36:26 raid5 sshd[6994]: Invalid user admin from 83.18.244.42 > Jul 16 00:36:31 raid5 sshd[6996]: Invalid user test from 83.18.244.42 > Jul 16 00:36:51 raid5 sshd[7017]: Invalid user danny from 83.18.244.42 > Jul 16 00:36:56 raid5 sshd[7019]: Invalid user alex from 83.18.244.42 > Jul 16 00:37:01 raid5 sshd[7022]: Invalid user brett from 83.18.244.42 > Jul 16 00:37:06 raid5 sshd[7024]: Invalid user mike from 83.18.244.42 > Jul 16 00:37:12 raid5 sshd[7027]: Invalid user alan from 83.18.244.42 > Jul 16 00:37:18 raid5 sshd[7029]: Invalid user data from 83.18.244.42 > Jul 16 00:37:22 raid5 sshd[7031]: Invalid user www-data from 83.18.244.42 > Jul 16 00:37:28 raid5 sshd[7033]: Invalid user http from 83.18.244.42 > Jul 16 00:37:33 raid5 sshd[7037]: Invalid user httpd from 83.18.244.42 > Jul 16 00:37:38 raid5 sshd[7040]: Invalid user pop from 83.18.244.42 > > > ..... and so on, ad nausium. Obviously, someone is trying to break in > to my system via SSH. So far as I can tell from examining my logs and > my systems (usually at least 4 other systems on my LAN are under > simultaneous attacks from the same source(s), the daemon is > successsfully withstanding the assault and the system is not compromised. > > My question is what, if any firewall rule could I write that could > detect such attacks and automatically shut down forwarding packets from > the offending node or domain? That would give me an additional layer > of defense as well as freeing up a significant amount of log file space. > >
It is possible to filter on IP address in your firewall. You can also deny addresses in various config files, such as hosts.deny etc. -- Use OpenOffice.org <http://www.openoffice.org> -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
