[WBEL-users] Daily SSH attempted logins

[Alon]

very nice indeed!
Me like it.
Is it difficult to install?

- Alon
js at wsco.com
----- Original Message ----- 
From: "Sudev Barar" <sudev at mantraonline.com>
To: <whitebox-users at beau.org>
Sent: Sunday, March 06, 2005 6:12 AM
Subject: Re: [WBEL-users] Daily SSH attempted logins


> On Sat, 2005-03-05 at 18:27 -0800, Jesse wrote:
>> I run a modified version of a perl script called sshd_sentry by Victor
>> Danilchenko. I call mine login_sentry, since I modified it to do more
>> than just ssh. It monitors my logs for failed login attempts via ssh,
>> http webmail, imap, pop3, etc.. anything that hits the password database
>> and is externally accessible.
>>
>> Every 10 seconds it checks the logs for new messages. If there have been 
>> 6
>> or more failed login attempts (since the last successful login) by the
>> same IP, it adds that IP to /etc/hosts.deny as well as a special apache
>> hosts.deny (so they're blocked from all services, including http). It
>> automatically expires entries after 24 hours.
>>
>> If the failed login attempts are to a list of certain bad users (root,
>> iceuser, jordan, nicole,nathan, nobody, apache, etc.) then it counts as
>> two failed logins (i.e. only 3 bad attempts needed).
>>
>> It also emails me when it blocks an IP. It works well for me. I block
>> between 1-8 hosts per day. I find that there aren't really that many 
>> hosts
>> each night trying, it's just that each hosts will try thousands of times.
>> Once they get their connections refused however, they immediately stop
>> trying to connect again.
>
> Can you share the script?
> -- 
> Sudev Barar
> Learning Linux
>
> _______________________________________________
> Whitebox-users mailing list
> Whitebox-users at beau.org
> http://beau.org/mailman/listinfo/whitebox-users
>
>