[WBEL-users] Daily SSH attempted logins

Jesse j at lumiere.net
Sat Mar 5 20:27:57 CST 2005

I run a modified version of a perl script called sshd_sentry by Victor 
Danilchenko. I call mine login_sentry, since I modified it to do more 
than just ssh. It monitors my logs for failed login attempts via ssh, 
http webmail, imap, pop3, etc.. anything that hits the password database 
and is externally accessible.

Every 10 seconds it checks the logs for new messages. If there have been 6 
or more failed login attempts (since the last successful login) by the 
same IP, it adds that IP to /etc/hosts.deny as well as a special apache 
hosts.deny (so they're blocked from all services, including http). It 
automatically expires entries after 24 hours.

If the failed login attempts are to a list of certain bad users (root, 
iceuser, jordan, nicole,nathan, nobody, apache, etc.) then it counts as 
two failed logins (i.e. only 3 bad attempts needed).

It also emails me when it blocks an IP. It works well for me. I block 
between 1-8 hosts per day. I find that there aren't really that many hosts 
each night trying, it's just that each hosts will try thousands of times. 
Once they get their connections refused however, they immediately stop 
trying to connect again.

Jesse <j at lumiere.net>

More information about the Whitebox-users mailing list