On Tue, 2004-12-07 at 15:24, Michael Yep wrote: > Hello > > In my LogWatch report I get many login attacks, many from the same IP address. > > sshd: > Authentication Failures: > root (218.232.109.187): 59 Time(s) > I have permitRootLogin set to NO, and I use strong passwords, but can I > just add these IP addresses to hosts.deny? > and if so how would I set that up You may also want to add the IP address those probes are coming from to your iptables with a drop rule. This makes sure that nothing from that IP address can do anything on your system. If they are trying ssh they may be trying other ports. And any address that shows up many different times needs to be blocked completely. It is either a script kiddie trying all kinds of different things or compromised system someone else is using to launch further attacks. Either way blocking them completely keeps your system safe and does not impact you at all. -- Scot L. Harris webid@xxxxxxxxxx Pollyanna's Educational Constant: The hyperactive child is never absent.
