SSH Cracking Attempts
Every other day or so now I'm seeing attempts in my servers logs where
some remote machine starts trying to guess a username/password
combination to ssh into the server. They try everything from 'test', to
'NOUSER', 'guest', 'root', etc., doing at least one login attempt per
second, each time from a different source port.
So, my question is this. Is there a way to tell ssh to refuse
connections from an ip address after a certain number of failed login
attempts, or is snort the only way to do something like this? So far
I've been taking the manual approach, blocking the ip address with
my firewall after I see it hitting the logs, but that can give them
about an hour to play before I notice it (e-mailed to me by logcheck).