[H-GEN] iptables autoblocking
James Mills
prologic at shortcircuit.net.au
Wed Jul 20 03:26:04 EDT 2005
On Wed, Jul 20, 2005 at 12:10:36AM -0700, Anthony Irwin wrote:
> [ Humbug *General* list - semi-serious discussions about Humbug and ]
> [ Unix-related topics. Posts from non-subscribed addresses will vanish. ]
>
> Hi everyone,
>
> I have been looking through my logs and noticed that
> over the last month I have had a large number of
> different ip addresses trying to login to my system
> via ssh with generated user names.
>
> I was wondering if there is a way I could easily write
> a script that automatically added invalid user login
> attempts via ssh to be blocked in iptables and added
> to a block list.
>
> below is a sample of my /var/log/auth.log file.
>
> Jul 20 10:30:41 localhost sshd[31205]: Illegal user
> test from 210.53.138.21
> Jul 20 10:30:44 localhost sshd[31207]: Illegal user
> test from 210.53.138.21
> Jul 20 10:30:47 localhost sshd[31209]: Illegal user
> guest from 210.53.138.21
> Jul 20 10:30:50 localhost sshd[31211]: Illegal user
> guest from 210.53.138.21
> Jul 20 10:31:00 localhost sshd[31217]: Illegal user
> daniel from 210.53.138.21
> Jul 20 10:31:06 localhost sshd[31221]: Illegal user
> admin from 210.53.138.21
> Jul 20 10:31:10 localhost sshd[31223]: Illegal user
> admin from 210.53.138.21
>
> I would really like to be able to automatically block
> such attacks. I have thought about limiting ssh to
> certain ip addresses but would prefer to leave it open
> so I can login from anywhere.
>
> Any suggestions would be apreciated.
My own systems under-go such attacks as well. A couple of months ago one
of my boxes were attacked in this way with ~20,000 login attempts. I
would be interested in what others have to say first before I
contribute... I have as yet _not_ implemented any solution.
cheers
James
--
--
-"Problems are Solved by Method"
-
More information about the General
mailing list