On Oct 9, 2007, at 9:56 AM, Raquel wrote:
On Tue, 09 Oct 2007 10:56:20 -0400 Kamaraju S Kusumanchi <kamaraju@bluebottle.com> wrote:fail2ban seems to be the preferred solution. However, I just manually add the offending IP addresses to /etc/hosts.deny to prevent any future attacks from the same IPs. hth raju--This is a solution. But, what about people who have dynamic IP addresses? Everyone from AOL gets blocked from accessing anything on your server(s)?
Most likely he doesn't have any users on AOL, so it works for him. Most of these attacks seem to come from China, anyway. I've known people to just block all the Asian netblocks and be done with it. I hear it cuts out a lot of spam, too. Kind of a scorched-earth tactic, though!
I can't get away with that sort of thing because I *do* have users on various ISPs that use dynamic IPs. So I use fail2ban, which allows IPs to expire off the blocklist after a while. On my home system, which runs FreeBSD, I'm using sshguard. Sshguard takes a particularly clever approach, I think -- instead of polling the logfiles, like fail2ban does, it gets added to syslog.conf as a log destination, so it gets the messages directly.
Given the lists of names some of these crackers are using, I wonder what their success rate is. I can understand trying the root account, but I've seen some pretty ludicrous sets of usernames being attempted. Some seem to be just throwing a dictionary at it, and one that I ran into the other day appeared to be using a list of Finnish first names. (Not many Markos or Toivos on my machine, I'm afraid.)