On Mon, 2005-10-03 at 09:49 -0700, Vladimir G. Ivanovic wrote: > >>>>> "ju" == Jonathan Underwood <j.underwood@xxxxxxxxxx> writes: > > ju> > ju> Vladimir G. Ivanovic wrote: > >> Has anyone ported sshdfilter to FC4? It seems like such a useful > >> program now that I'm getting lots of ssh-based attacks. > >> http://www.csc.liv.ac.uk/~greg/sshdfilter/ > >> --- Vladimir > >> > ju> > ju> The following provides a similar service: > ju> > ju> http://www.aczoom.com/cms/blockhosts/ > > I am currently using DenyHosts, but like blockhosts, it is not quite > the same as sshdfilter. sshdfilter parses the output of sshd and uses > iptables to block hosts. Both DenyHosts and blockhosts parse the > system log file and use /etc/hosts.deny to block hosts. > > My sense is that sshdfilter's approach is (somewhat) better. > sshdfilter also has the approach that a block has a limited lifetime before that IP is allowed access again. By default it blocks for 3 days, but that is user configurable. I did not look at what DenyHosts nor blockhosts use in that respect. If they do not automatically purge the block at some time the list will get quite long. I had to quit using portsentry for that purpose after the blocked list and rules in iptables and hosts.deny grew to over 5000 entries in a period of less than a year. Manual editing of the files became unwieldy. Portsentry also cannot monitor ports that are open for normal services so it would not help in the ssh attacks.
