Patrick Shanahan wrote:
* Dan Abernathy
[11-07-05 19:55]: I notice several automated break-in attempts appearing in /var/log/messages regarding sshd. A small sample:
Nov 7 14:34:10 d8400 sshd[18607]: Invalid user a from 71.129.198.189 Nov 7 14:34:11 d8400 sshd[18609]: Invalid user aaron from 71.129.198.189
Hundreds of entries like the above, working their way through every English letter using common first names, also names of services like Apache.
I ran across this Novell Cool Solutions article: http://www.novell.com/coolsolutions/trench/16341.html
It describes the use of a shell script, run once per minute using a cron job, that parses information from /var/log/messages and adds offending IP addresses to /etc/hosts.deny.
Look closely at http://sf.net/projects/denyhosts
I have been using it for about a month and it appears to work very well.
I created my own using Perl and fileschanged (http://fileschanged.sourceforge.net/). The fileschanged monitors the secure log and when the log changes calls my Perl script. My script determines if new entries are like Nov 7 13:37:15 hostname sshd[9847]: Did not receive identification string from 221.253.105.173 or Nov 7 13:49:35 hostname sshd[9992]: Illegal user james from 61.144.56.34 If I get a match an entry is added using iptables to reject the host. The script traps the dictionary attacks within a few seconds. A side effect of using iptables is the incoming connection hangs waiting for a timeout. When I mentioned this script to friend at work, his response was to block everyone except IPs or domains where you expect connection to come from instead of being reactive. Tom