Over the weekend I was noticing that there were a lot of failed login attempts from particular IP addresses into my sshd and that got me thinking, why can't I easily have sshd work with ipfilter and block those IP addresses?
At present there are a couple of things you might wish to do: - build a script that is specifically for that purpose (grok sshd's syslog output and poke ipfilter); - run snort or some other host intrusion detection software that pulls data out of the log files for things like sshd. My problem with both is that they rely on parsing the "cooked" output of some other application. That seems somewhat prone to error, never mind being less than efficient. There's also the disk space risk... Wouldn't it be better if sshd was able to make some function call and tell something about those repeated login failures? And then if there was some way to instruct that to manage things like pools of bad IP addresses in IPFilter? Before I start hacking on code, is there some other area of Solaris's security that should be leveraged to do this? For example, are there any C2 audit events that collect information like this? Cheers, Darren
