[net] user connction to sshd

Corey Edwards tensai at zmonkey.org
Sun Jul 10 23:52:38 MDT 2005


On Sat, 2005-07-09 at 23:05 -0600, Jeff Schroeder wrote:
> 2) It would be clever and effective to have some process running on your 
> server, and when it detected multiple failed SSH login attempts, it 
> would add a rule to a running iptables ruleset to block that IP.  This 
> is reactive, rather than proactive, but stops repeated hits from the 
> same place.

That /would/ be pretty cool. I wonder if anybody has written such a
thing. Oh, yeah. *I* did! It's called SSH Lockout.

        http://www.zmonkey.org/blog/node/28

Version 0.4.0 now supports CIDR whitelists, syslog and sports a spiffy
new SYS V init script. Contributions are always welcome. I've been
running it on my servers for quite some time and found it extremely
useful.

> I imagine after a few days you'd have an impressive blacklist. ;)

Well, by default it automatically removes the firewall rule after a
while. I've never thought about publishing my results. Anybody think
that would actually be useful?

Corey

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://plug.org/pipermail/plug/attachments/20050710/f6cfa98b/attachment.bin 


More information about the PLUG mailing list