On 5/9/05, roland brouwers <roland@xxxxxx> wrote:
Someone is attacking for a certain time on port SSH2 He is trying to login as root and uses all kind of usernames. See annexed textfile
How can I block a user after x failed logins? Can I do something else?
This looks like something VERY common. Wanna-be hackers ("script kiddies") try to make repeated connections using common names, hoping to find a valid user name on your system, and will try to break in using that connection. Of course, for them to be successful, would require them to continue hitting your machine over and over again until they finally get through.
Watch your ftp port too. "the boss" wanted an ftp server. Once it was used to enumerate user accounts he relented.
If you do not run ftp, look to open it and use it as an xinetd sensor.
Note: you can run ssh from xinetd; startup is slower, but that might not be a concern. Apple does that on OS X,
--
Cheers John
-- spambait 1aaaaaaa@xxxxxxxxxxxxxxxxxxxxxxx Z1aaaaaaa@xxxxxxxxxxxxxxxxxxxxxxx Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/
