SSH Cracking Attempts

To: debian-user@lists.debian.org
Subject: SSH Cracking Attempts
From: Jacob S <stormspotter@6Texans.net>
Date: Wed, 29 Sep 2004 14:09:58 -0500
Message-id: <[🔎] 20040929140958.4ebc7c97@jacob.6texans.net>

Every other day or so now I'm seeing attempts in my servers logs where
some remote machine starts trying to guess a username/password
combination to ssh into the server. They try everything from 'test', to
'NOUSER', 'guest', 'root', etc., doing at least one login attempt per
second, each time from a different source port.

So, my question is this. Is there a way to tell ssh to refuse
connections from an ip address after a certain number of failed login
attempts, or is snort the only way to do something like this? So far
I've been taking the manual approach, blocking the ip address with
my firewall after I see it hitting the logs, but that can give them
about an hour to play before I notice it (e-mailed to me by logcheck).

Any suggestions? 

TIA,
Jacob

Reply to:

Follow-Ups:
- Re: SSH Cracking Attempts
  - From: Nicolas <ripley@8d.com>
- Re: SSH Cracking Attempts
  - From: Matthijs <vanaalten@hotmail.com>
- Re: SSH Cracking Attempts
  - From: Kevin Mark <kmark+debian-user@pipeline.com>
- Re: SSH Cracking Attempts
  - From: Joe <joe@jretrading.com>

Prev by Date: Firefox Install
Next by Date: Re: Firefox Install
Previous by thread: Re: Re: Firefox Install
Next by thread: Re: SSH Cracking Attempts
Index(es):
- Date
- Thread