On Sat, 18 Jun 2005, Mike Pepe wrote:
Thomas Cameron wrote:
These attacks appear to me to fire multiple concurrent connections to get around the delay.
Possibly. I found a script out there and modified it a bit, this will block the attacker after opening up 3 concurrent connections in 60 seconds:
I prefer pam_abl myself: http://www.hexten.net/sw/pam_abl/index.mhtml
It automatically blacklists IPs which fail more than X logins in a user-specified time. All attempts after that fail, even if the user+pass supplied is correct.
Firewalling miscreants out is a dead giveaway for them, so they give up and immediately move on to the next victim. pam_abl is nice because it makes them waste their time.
Jun 13 05:18:47 sasami pam_abl[7593]: Blocking access from 210.0.178.146 to service sshd, user root [...] Jun 16 04:44:15 sasami pam_abl[20188]: Blocking access from 202.76.92.199 to service sshd, user root [...] Jun 16 07:15:28 sasami pam_abl[40]: Blocking access from mail.estudio-jardo.com.ar to service sshd, user mysql Jun 16 07:31:33 sasami pam_abl[26812]: Blocking access from mail.estudio-jardo.com.ar to service sshd, user root Jun 16 07:31:38 sasami pam_abl[13388]: Blocking access from mail.estudio-jardo.com.ar to service sshd, user root Jun 16 07:31:43 sasami pam_abl[7209]: Blocking access from mail.estudio-jardo.com.ar to service sshd, user root
<3 <3 <3 <3 <3
It warms the heart to watch all these criminals waste their time bouncing off your auto-blacklist.
-Dan