I have been getting a lot of dictionary attacks against my server and want to automatically add the IP address of the offender when their failed SSH login attempts are equal to five or more. I was just going to write a dumb BASH script to do this unless there is a more intelligent way? Eric
Would something like portsentry help you with this? On Mon, 31 Jan 2005 18:46:40 -0500, Eric Esterle <eesterle@nc.rr.com> wrote:> I have been getting a lot of dictionary attacks against my server and > want to automatically add the IP address of the offender when their > failed SSH login attempts are equal to five or more. I was just going > to write a dumb BASH script to do this unless there is a more > intelligent way? > > Eric > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Gary Buckmaster wrote:> Would something like portsentry help you with this? >portsentry is broader in scope, it would also trigger on scans and other possibly malicious behavior. I''d lean towards the special purpose script. -- Jack at Monkeynoodle dot Org: It''s a Scientific Venture... Riding the Emergency Third Rail Power Trip since 1996!
Eric Esterle wrote:> I have been getting a lot of dictionary attacks against my server and > want to automatically add the IP address of the offender when their > failed SSH login attempts are equal to five or more. I was just going > to write a dumb BASH script to do this unless there is a more > intelligent way?Maybe you could have a look here as a beginning for your script http://www.linuxmafia.com/pub/linux/security/ssh-dictionary-attack-blacklist http://www.linuxmafia.com/pub/linux/security/sshd_sentry/sshd_sentry -- guy marcenac