Michael Cree wrote:
On 22/10/2004, at 9:57 AM, John R. McPherson wrote:
For a few weeks (or more), some of us have noticed lots of connection attempts on port 22 (the ssh) port from IP addresses all around, suggesting it is an automated worm rather than `just' script kiddies.
Yes, you're right. I have just taken a look at our logs on a server with open ssh access and, indeed, there are quite a number of obvious connection attempts at trying to guess passwords on standard accounts (such as root, admin, user, guest, etc.).
In our case shutting down access to specific IP ranges is not a viable option, since we cannot know ahead of time what are the valid IP numbers that legitimate connections come from.
So that raises a question: Is there a means by which the ssh connections can be monitored and if there are a series of attempts from one originating IP number involving illegal usernames or invalid passwords, to have that IP address dumped into a host reject list. Presumably that would have to be a tempory blacklist since the IP address is likely to be dynamically allocated by some ISP.
http://www.wlug.org.nz/pam_tally(8) Kinda looks to do what you want, per user, not per IP tho :)