Wow! That's a huge number of probes!
I know you can use the standard hosts.allow / hosts.deny access control.
# /etc/hosts.allow
sshd : 10.40. : allow
# /etc/hosts.deny
sshd : ALL : deny
I wonder if you could use PAM to create a rule that would ban like
what you are asking. I think there are also some configuration
settings with sshd itself that you may look at.
Jess
On Sun, 5 Sep 2004 12:28:20 -0400 (EDT), Petri Laihonen
<pietu@weblizards.net> wrote:
> This is an excerpt of my logwatch report from yesterday.
> !Note the line "root (61.8.206.67): 436 Time(s)"
>
> sshd:
> Invalid Users:
> Unknown Account: 22 Time(s)
> Authentication Failures:
> unknown (s217-115-138-105.colo.hosteurope.de ): 6 Time(s)
> unknown (61.8.206.67 ): 9 Time(s)
> unknown (210.101.248.112 ): 6 Time(s)
> unknown (216.195.44.86 ): 1 Time(s)
> root (61.8.206.67 ): 436 Time(s)
> root (s217-115-138-105.colo.hosteurope.de ): 3 Time(s)
> root (210.101.248.112 ): 3 Time(s)
>
> Is there a way to completely block access to the server from the offending
> IP, lets say..... after 3 authentication failures?
>
> Pietu
> ___________________
> Nolug mailing list
> nolug@nolug.org
>
___________________
Nolug mailing list
nolug@nolug.org
Received on 09/05/04
This archive was generated by hypermail 2.2.0 : 12/19/08 EST