On Sat, 2004-12-04 at 11:42 -0500, Adam Rosi-Kessel wrote: > Is there any Debian package (or free software outside of Debian) that can > detect random ssh login attempts and blacklist (temporarily or > permanently) the IP address? > > portsentry is similar but not quite on point. As I understand it, > portsentry will block port scanners, but not people attempting random > logins. > > What I'd like to do is block a particular IP address if there are more > than, say, 5 attempted logins from nonexistent usernames, and more than > 10 failed logins from existent usernames. > > I've written the following little hack to do it, but I don't particularly > like running untested hacks as root, and also it'd be preferable if the > blacklisting could happen immediately, rather than as an occasional cron > job. Something that continuously tails might get around the "occasional cron job" problem. Since group adm has +r access to /var/log/syslog, a user that belongs to group adm may be the key. -- ----------------------------------------------------------------- Ron Johnson, Jr. Jefferson, LA USA PGP Key ID 8834C06B I prefer encrypted mail. 484,246 sq mi (1,254,197 sq km) are needed for 6 billion people to live, 4 persons per lot, in lots that are 60'x150' (a nice suburban US plot). That is ~ California, Texas and Missouri. Alternatively, France, Spain and The United Kingdom.
Attachment:
signature.asc
Description: This is a digitally signed message part