[ale] 300,000 failed login attempts in 6 months!!!
Stephen Cristol
stephen at bee.net
Mon Aug 18 14:08:34 EDT 2008
I've had similar issues. Besides the options mentioned (DenyHosts,
fail2ban), I found a few others:
- sshdfilter (http://www.csc.liv.ac.uk/~greg/sshdfilter/)
- sshguard (http://sshguard.sourceforge.net/)
- ABL PAM module (http://sourceforge.net/projects/pam-abl)
- iptables limit or recent (http://snowman.net/projects/ipt_recent/)
modules
- Similar projects: sshit, blocksshd, crackblock, ssh-faker,
shellter, sshutout
Comments:
_ I use this on a box in another state, so I wanted something where
it would be difficult to lock myself out. I started by experimenting
with the iptables recent module. This worked well enough that I have
not pursued other options.
- If you want to build your own solution, Bob Toxen's book includes a
script for extracting the necessary information from /var/log/messages.
- The PAM module (above) is particularly intriguing as I believe it
avoids having to constantly dig through log files.
- A final thought is to use the "AllowUsers" or "AllowGroups" options
in sshd_config. These limit who can connect to those users or groups
explicitly listed. I think it has the added benefit of not even
trying to authenticate users that are not on the list. (If so, this
may interact badly with the ABL PAM module.)
HTH,
S
More information about the Ale
mailing list