Re: [Nolug] blocking SSH

From: Mark A. Hershberger <mah_at_everybody.org>
Date: Sun, 05 Sep 2004 14:04:51 -0400
Message-ID: <87isaspp6k.fsf@weblog.localhost>

"Petri Laihonen" <pietu@weblizards.net> writes:

> Is there a way to completely block access to the server from the offending
> IP, lets say..... after 3 authentication failures?

I don't know of a tool that will do this, but I've been thinking of
writing a tool that will watch logfiles and block IP addresses when
it sees suspicious activity. For example, I'm getting these root
probes on ssh as well as regular probes on Apache for FrontPage
vulnerabilities and the like.

It'd be nice to block IPs that generate these probes. I use
portsentry for un-used ports, but it is no good on used ports.

Mark.

-- 
A choice between one man and a shovel, or a dozen men with teaspoons
is clear to me, and I'm sure it is clear to you also.
    -- Zimran Ahmed <http://www.winterspeak.com/>

___________________
Nolug mailing list
nolug@nolug.org

Received on 09/05/04

This archive was generated by hypermail 2.2.0 : 12/19/08 EST