* Dan Abernathy <dapub@charter.net> [11-07-05 19:55]:
I notice several automated break-in attempts appearing in /var/log/messages regarding sshd. A small sample:
Nov 7 14:34:10 d8400 sshd[18607]: Invalid user a from 71.129.198.189 Nov 7 14:34:11 d8400 sshd[18609]: Invalid user aaron from 71.129.198.189
Hundreds of entries like the above, working their way through every English letter using common first names, also names of services like Apache.
I ran across this Novell Cool Solutions article: http://www.novell.com/coolsolutions/trench/16341.html
It describes the use of a shell script, run once per minute using a cron job, that parses information from /var/log/messages and adds offending IP addresses to /etc/hosts.deny.
Look closely at http://sf.net/projects/denyhosts I have been using it for about a month and it appears to work very well. added to root's crontab */6 * * * * /usr/bin/denyhosts.py -c /etc/denyhosts.cfg has it's own annotated config file -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/gallery2