Re: [Nolug] blocking SSH

From: Jesse Planck <jesse.planck_at_gmail.com>
Date: Sun, 5 Sep 2004 11:46:54 -0500
Message-ID: <c141e086040905094634910fd3@mail.gmail.com>

Wow! That's a huge number of probes!

I know you can use the standard hosts.allow / hosts.deny access control.

# /etc/hosts.allow

sshd : 10.40. : allow

# /etc/hosts.deny

sshd : ALL : deny

I wonder if you could use PAM to create a rule that would ban like
what you are asking. I think there are also some configuration
settings with sshd itself that you may look at.

Jess

On Sun, 5 Sep 2004 12:28:20 -0400 (EDT), Petri Laihonen
<pietu@weblizards.net> wrote:
> This is an excerpt of my logwatch report from yesterday.
> !Note the line "root (61.8.206.67): 436 Time(s)"
>
> sshd:
> Invalid Users:
> Unknown Account: 22 Time(s)
> Authentication Failures:
> unknown (s217-115-138-105.colo.hosteurope.de ): 6 Time(s)
> unknown (61.8.206.67 ): 9 Time(s)
> unknown (210.101.248.112 ): 6 Time(s)
> unknown (216.195.44.86 ): 1 Time(s)
> root (61.8.206.67 ): 436 Time(s)
> root (s217-115-138-105.colo.hosteurope.de ): 3 Time(s)
> root (210.101.248.112 ): 3 Time(s)
>
> Is there a way to completely block access to the server from the offending
> IP, lets say..... after 3 authentication failures?
>
> Pietu
> ___________________
> Nolug mailing list
> nolug@nolug.org
>
___________________
Nolug mailing list
nolug@nolug.org
Received on 09/05/04

This archive was generated by hypermail 2.2.0 : 12/19/08 EST