[WBEL-users] Daily SSH attempted logins
sudev at mantraonline.com
Sat Mar 5 22:12:33 CST 2005
On Sat, 2005-03-05 at 18:27 -0800, Jesse wrote:
> I run a modified version of a perl script called sshd_sentry by Victor
> Danilchenko. I call mine login_sentry, since I modified it to do more
> than just ssh. It monitors my logs for failed login attempts via ssh,
> http webmail, imap, pop3, etc.. anything that hits the password database
> and is externally accessible.
> Every 10 seconds it checks the logs for new messages. If there have been 6
> or more failed login attempts (since the last successful login) by the
> same IP, it adds that IP to /etc/hosts.deny as well as a special apache
> hosts.deny (so they're blocked from all services, including http). It
> automatically expires entries after 24 hours.
> If the failed login attempts are to a list of certain bad users (root,
> iceuser, jordan, nicole,nathan, nobody, apache, etc.) then it counts as
> two failed logins (i.e. only 3 bad attempts needed).
> It also emails me when it blocks an IP. It works well for me. I block
> between 1-8 hosts per day. I find that there aren't really that many hosts
> each night trying, it's just that each hosts will try thousands of times.
> Once they get their connections refused however, they immediately stop
> trying to connect again.
Can you share the script?
More information about the Whitebox-users