Nicolas Williams wrote: > On Mon, Dec 01, 2008 at 03:35:37PM +1100, Darren Reed wrote: > >> Over the weekend I was noticing that there were a lot of failed >> login attempts from particular IP addresses into my sshd and >> that got me thinking, why can't I easily have sshd work with >> ipfilter and block those IP addresses? >> > > Incidentally, there have been many projects in the Linux/OpenSSH world > to have sshd and IP filtering interact to filter naughty clients. And > there's lots of debate on the merits of such things. Bottom-line: > you'll probably want to make sure that rules derived from failed login > events have an expiration timer associated with them. > > Also, there may even be PAM-based approaches to this. A quick search for > "PAM sshd IP filter" produces many results. Aha! There is a pam_abl > (auto-blacklist) module for this, mentioned in the fourth search result. > > http://sourceforge.net/projects/pam-abl > http://linux.die.net/man/1/pam_abl > > I think this should be workable for Solaris too, so no need to muck with > syslog and/or auditing to get the information that you need. >
Interesting, but I'm not sure that I like the architecture of this. Darren
