shown below is snapshot of too many illegal attempts to login to my server from a suspicious hacker. this is taken from the "/var/log/auth.log". my question is, how do i automatically block an IP address if it is attempting to guess my login usernames? can i configure the firewall to check the instances a certain IP has attempted to access/ssh the sevrer, and if it has failed to login for about "x" number of attempts, it will be blocked automatically?
This question is asked on the list ever so often - see the archives for suggestions. These are automated attacks, they come regularly as crackers, black hats or script kidies scan across the net.
Does anybody know what robots beeing used? And on what systems? All you mention later in your posting is true of course and I needn't care about these logs, but it's like like somebody unknown puts 10 flyers in your letterbox every night. I'm sure, one night you'll hide and build a trap for that person. I'm too lazy to enter those net-circles for finding these robots, but maybe some other has already done that?
I haven't done that, but if you don't like them you can block them fairly easily... I wrote a little script in PHP (not that it would be hard to re-write in perl or whatever) that watches /var/log/auth.log and if it sees an invalid login, it adds a firewall rule to block that IP.
Then I've got a separate cronjob that removes those firewall rules a couple minutes later.
Yes, I have locked myself out of my own server when I mistype my password, but I just wait a minute and it lets me back in.
I thought about modifying it so instead of outright blocking it, it put it into a pipe that limited it's bandwidth to almost nil just to hold the thing up a bit, but this works for me..
http://www.pjkh.com/sshmonitor/
-philip _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
