| 1 |
On Sun, Apr 01, 2007 at 04:03:48PM +0300, Daniel Iliev wrote: |
| 2 |
> Hi, guys |
| 3 |
> |
| 4 |
> Recently I was looking through my logs when I got pissed off (again) by |
| 5 |
> the big number of lines showing something like 'sshd: auth. error: |
| 6 |
> unknown user "XXX" from "some IP address"'. I wrote a script which |
| 7 |
> automatically sets all connections from those IP addresses to be |
| 8 |
> dropped. Next I decided to change "-j DROP" with "-j TARPIT" and I |
| 9 |
> realized that gentoo-sources doesn't provide the netfilter target "TARPIT". |
| 10 |
|
| 11 |
Instead of using iptables, you may want to try DenyHosts |
| 12 |
(app-admin/denyhosts). It's a simple Python script that parses through |
| 13 |
/var/log/secure (or whatever your sshd logs to) and finds IPs who have |
| 14 |
failed authentication a certain number of times, then adds those IPs to |
| 15 |
/etc/hosts.deny. Naturally, the threshold for blocking a host can be |
| 16 |
configured, and many other options can too. It's worked great for me, |
| 17 |
and I've used it for about half a year now. |
| 18 |
|
| 19 |
The website for the DenyHosts project is: |
| 20 |
http://denyhosts.sourceforge.net/ |
| 21 |
|
| 22 |
I hope that I read your question right and that this will help. |
| 23 |
|
| 24 |
Ryan Curtin |
| 25 |
ryan@××××××××××××.com |
| 26 |
|
| 27 |
-- |
| 28 |
<www.igglybob.com> |
| 29 |
-- |
| 30 |
gentoo-user@g.o mailing list |
Archives