[WBEL-users] Daily SSH attempted logins
j at lumiere.net
Sat Mar 5 20:27:57 CST 2005
I run a modified version of a perl script called sshd_sentry by Victor
Danilchenko. I call mine login_sentry, since I modified it to do more
than just ssh. It monitors my logs for failed login attempts via ssh,
http webmail, imap, pop3, etc.. anything that hits the password database
and is externally accessible.
Every 10 seconds it checks the logs for new messages. If there have been 6
or more failed login attempts (since the last successful login) by the
same IP, it adds that IP to /etc/hosts.deny as well as a special apache
hosts.deny (so they're blocked from all services, including http). It
automatically expires entries after 24 hours.
If the failed login attempts are to a list of certain bad users (root,
iceuser, jordan, nicole,nathan, nobody, apache, etc.) then it counts as
two failed logins (i.e. only 3 bad attempts needed).
It also emails me when it blocks an IP. It works well for me. I block
between 1-8 hosts per day. I find that there aren't really that many hosts
each night trying, it's just that each hosts will try thousands of times.
Once they get their connections refused however, they immediately stop
trying to connect again.
Jesse <j at lumiere.net>
More information about the Whitebox-users