On Mon, Dec 01, 2008 at 03:35:37PM +1100, Darren Reed wrote: > Over the weekend I was noticing that there were a lot of failed > login attempts from particular IP addresses into my sshd and > that got me thinking, why can't I easily have sshd work with > ipfilter and block those IP addresses?
Incidentally, there have been many projects in the Linux/OpenSSH world to have sshd and IP filtering interact to filter naughty clients. And there's lots of debate on the merits of such things. Bottom-line: you'll probably want to make sure that rules derived from failed login events have an expiration timer associated with them. Also, there may even be PAM-based approaches to this. A quick search for "PAM sshd IP filter" produces many results. Aha! There is a pam_abl (auto-blacklist) module for this, mentioned in the fourth search result. http://sourceforge.net/projects/pam-abl http://linux.die.net/man/1/pam_abl I think this should be workable for Solaris too, so no need to muck with syslog and/or auditing to get the information that you need. Nico --
