On Wed, Dec 3, 2008 at 2:16 PM, Nikos Chantziaras <[EMAIL PROTECTED]> wrote: > Steve wrote: >> >> [...] >> Sure, I could use IPtables to block all these bad ports... or... I could >> disable password authentication entirely... but I keep thinking that >> there has to be something better I can do... any suggestions? > > I'm using DenyHosts to battle this. It adds the IPs to /etc/hosts.deny > after a configurable amount of failed logins. It even downloads an online > list of IPs where attacks originate from and uploads attacks to your box to > this list too (if you allow it in the configuration). > > After I installed this, no more brute-forcing :) I used to have thousands > per day. > > http://www.denyhosts.net > > It's in portage.
The big botnet attacks are doing no more than 2 login attempts per IP, making stuff like denyhosts hard to use (unless you set it to ban after 1 login attempt, but that'll catch real users who make a typo)
