Swatch is your friend! It watches log files in real time (within a second or two, anyway) and reacts just like you want. Have it watch the security log file for failed attempts from a single IP and run an IPTABLES command when a count is reached within a certain time period. -Michael

...

...

Bruce Smith <blubdog@gmail.com> 02/03 9:09 AM >>> I'm sure most people have seen tons of invalid SSH login attempts by some fairly new cracking program that guesses userid's and passwords. The problem is getting worse and more frequent.

I was wondering if there is any way to configure SSH to block an IP after a certain number of invalid logins, for a certain amount of time. (i.e. after 5 bad logins, block the IP for a hour). Or maybe there is a IDS that can do that? I looked at snort and can't find anything about SSH. BTW, I'm aware of other ways to make SSH more secure, like not allowing password authentication and only allowing RSA/DSA keys, changing the port SSH listens on, port knocking, etc. I just thought that automatic IP blocking, like I ask about above, would be a good idea under some circumstances. - BS -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here CONFIDENTIALITY NOTICE: This communication and any attached or enclosed files may contain information that is privileged, confidential, proprietary and/or otherwise protected from disclosure under applicable law ("Confidential Information"). Any review, retransmission, publication, dissemination, distribution, forwarding, printing, copying, storing, saving or other use or disclosure of this communication and/or the Confidential Information, or taking any action in reliance thereon, by an individual or entity other than the intended recipient(s) is strictly prohibited. This communication and the Confidential Information are intended solely for the use of the individual(s) and/or entity(ies) to which this communication is addressed. If you are not the intended recipient(s) (or responsible for delivery to said recipient(s)), please be advised that you have received this communication in error and have an obligation to promptly inform the sender by reply e-mail or facsimile and to permanently delete, shred or otherwise destroy, in its entirety, this original communication and all copies thereof, whether in electronic or hard copy format.