[WBEL-users] Daily SSH attempted logins
js at wsco.com
Sun Mar 6 01:16:43 CST 2005
very nice indeed!
Me like it.
Is it difficult to install?
js at wsco.com
----- Original Message -----
From: "Sudev Barar" <sudev at mantraonline.com>
To: <whitebox-users at beau.org>
Sent: Sunday, March 06, 2005 6:12 AM
Subject: Re: [WBEL-users] Daily SSH attempted logins
> On Sat, 2005-03-05 at 18:27 -0800, Jesse wrote:
>> I run a modified version of a perl script called sshd_sentry by Victor
>> Danilchenko. I call mine login_sentry, since I modified it to do more
>> than just ssh. It monitors my logs for failed login attempts via ssh,
>> http webmail, imap, pop3, etc.. anything that hits the password database
>> and is externally accessible.
>> Every 10 seconds it checks the logs for new messages. If there have been
>> or more failed login attempts (since the last successful login) by the
>> same IP, it adds that IP to /etc/hosts.deny as well as a special apache
>> hosts.deny (so they're blocked from all services, including http). It
>> automatically expires entries after 24 hours.
>> If the failed login attempts are to a list of certain bad users (root,
>> iceuser, jordan, nicole,nathan, nobody, apache, etc.) then it counts as
>> two failed logins (i.e. only 3 bad attempts needed).
>> It also emails me when it blocks an IP. It works well for me. I block
>> between 1-8 hosts per day. I find that there aren't really that many
>> each night trying, it's just that each hosts will try thousands of times.
>> Once they get their connections refused however, they immediately stop
>> trying to connect again.
> Can you share the script?
> Sudev Barar
> Learning Linux
> Whitebox-users mailing list
> Whitebox-users at beau.org
More information about the Whitebox-users