[ale] 300,000 failed login attempts in 6 months!!!

Stephen Cristol stephen at bee.net
Mon Aug 18 14:08:34 EDT 2008


I've had similar issues. Besides the options mentioned (DenyHosts,  
fail2ban), I found a few others:

- sshdfilter (http://www.csc.liv.ac.uk/~greg/sshdfilter/)
- sshguard (http://sshguard.sourceforge.net/)
- ABL PAM module (http://sourceforge.net/projects/pam-abl)
- iptables limit or recent (http://snowman.net/projects/ipt_recent/)  
modules
- Similar projects: sshit, blocksshd, crackblock, ssh-faker,  
shellter, sshutout

Comments:

_ I use this on a box in another state, so I wanted something where  
it would be difficult to lock myself out. I started by experimenting  
with the iptables recent module. This worked well enough that I have  
not pursued other options.

- If you want to build your own solution, Bob Toxen's book includes a  
script for extracting the necessary information from /var/log/messages.

- The PAM module (above) is particularly intriguing as I believe it  
avoids having to constantly dig through log files.

- A final thought is to use the "AllowUsers" or "AllowGroups" options  
in sshd_config. These limit who can connect to those users or groups  
explicitly listed. I think it has the added benefit of not even  
trying to authenticate users that are not on the list. (If so, this  
may interact badly with the ABL PAM module.)

HTH,
S



More information about the Ale mailing list