[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Stopping SSH dictionary attacks?

So I notice in my authlog that someone's been hitting my SSH daemon with a 'dictionary' username attack from multiple IPs. It's not really causing too much trouble (I've only got one name in the AllowUsers config option), but I sure would like to put a stop to it.

I was really hoping that the SSHD had some sort of timeout for authorization failures that would cause the daemon to reject any further attempts from a failed IP for x minutes after x failed attempts, but there doesn't seem to be that facility - am I missing something?

The box with the SSH Daemon is behind an IPCop firewall that port-forwards the SSH port.

One solution I'm considering is writing a script that parses authlog every hour or so and adds any IPs with more than x failed login attempts to ipcop/etc/hosts_deny, am I on the right track with this (has someone already done it - I'm a big fan of not re-inventing the wheel)?

-- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.296 / Virus Database: 265.6.2 - Release Date: 12/20/2004

-- This message has been scanned for viruses and dangerous content, and is believed to be clean.