Re: Advice on dealing with scripted SSH attacks?

I don't know if it is exactly what you are looking
for,
but I know a lot of people that are using the Ossec
HIDS to block these attempts. It analyzes the logs in
real time and after a few number of failed logins or
invalid users from the same source IP, it blocks this
IP for a few minutes (default to 6 minutes). It is
very easy to install and can be helpful :)

*a new version has just been released

Thanks,

--
Daniel B. Cid
dcid @ ( at ) ossec.net
http://www.ossec.net


--- "Zembower, Kevin" <kzembowe@jhuccp.org> escreveu:

> What's the current advice on dealing with scripts
> that repeatedly try to
> log onto SSH using a list of common usernames and
> 'password' for the
> password? I get up to 4,000 of these a day from a
> single server. In
> searching Google on this, I've learned of techniques
> using PAM and
> firewall rules that are created dynamically in
> response to log-in
> attempts.
>
> Can someone point out a link or tell me what they
> think are the best
> practices for dealing with this? Sooner or later,
> one of my users is
> going to have the unfortunate combination of a
> common user name and a
> bad password. 
>
> Ideally, what I'd like would be a system that
> exponentially increases
> the timeout period after each repeated failed login
> attempt from the
> same host up to a maximum of 10-20 minutes before
> resetting.
>
> Thanks for your advice.
>
> -Kevin Zembower



                
_______________________________________________________ 
Novo Yahoo! Messenger com voz: Instale agora e faça ligações de graça. 
http://br.messenger.yahoo.com/