Re: intrusion via ssh
On Thu, 31 Mar 2005 09:02:03 -0800, Todd A. Jacobs <nospam@codegnome.org> wrote:
> On Thu, Mar 31, 2005 at 12:55:46PM +0200, Frederic Guillet wrote:
>
> > I have about 500 attemps with different usernames and the same IP so i
> > guess it is a robot which is trying to enter my system.
>
> Use /etc/hosts.deny to block that IP address. You can also achieve
> similar results in the /etc/ssh/sshd_config file. As for whether or no
> the session was actually opened, that information is being logged to
> /var/log/auth.log by default.
A while ago Andrew Pollock blogged about this.
He used (or still uses?) a netfilter module which blocks IP addresses
connecting more than 4 times in 60 seconds.
http://blog.andrew.net.au/2005/02/17#ipt_recent_and_ssh_attacks
Cheers,
-Olaf
Reply to: