Richard Creighton wrote: > Just about every day, often several times a day, my logs include hours > of log entries that look like this: > > Jul 16 00:35:25 raid5 sshd[6966]: Invalid user admin from 83.18.244.42
<snip> > My question is what, if any firewall rule could I write that could > detect such attacks and automatically shut down forwarding packets from > the offending node or domain? That would give me an additional layer > of defense as well as freeing up a significant amount of log file space. I prefer a more simple approach. Rather than adding more firewall rules, I set the sshd allowed_users parameter to the 2 accounts that actually have a reason to log in, and I also limit the IP addresses which will accept an ssh connection using tcp wrappers (hosts.allow, hosts.deny). Joe -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
