>> does somebody of you have a better idea for this? maybe calling an >> script which adds an iptables rule with an expiration? > > I have done something on the simplier side, scan the syslog on the hour > and find these attempts and then find their ip address (using awk & grep > - you could probably extend this to say allow for 2-3 attempts instead of > one) then I have a iptables chain called blocked which tarpits all ip > address in the list, this chain is called as the first line of INPUT, > FORWARD. This way bad address stay on the blocked list for about 24 > hours.
there is already a tool which helps to solve this in this way, but this solution is not "realtime". ie the logs are scanned every hour and IPs are blocked after the scan (when everything is over). it would be nice to configure sshd/pam/... to call a script after a certain number of failed logins within a small period (eg 3 attempts with 1 minute) from the same IP and the script adds the necessary iptables entries to block this IP (removal can be done by another script called by cron). about snort: i have snort running and i have added the "bleeding edge" rules to my configuration. these rules contains lines for "ssh scan detection", but this does not work. even failed logins by ssh are not really recognized by snort. anyway, i will take a closer look at snort. this seems to be the best approach. thanks for the answers. cu, gottfried -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
