From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1L80ak-0004Uk-T8 for garchives@archives.gentoo.org; Wed, 03 Dec 2008 22:53:11 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 2019FE05E6; Wed, 3 Dec 2008 22:53:08 +0000 (UTC) Received: from mail1.optus.com.au (mail1.optus.com.au [203.13.126.129]) by pigeon.gentoo.org (Postfix) with ESMTP id C7AF6E05E6 for ; Wed, 3 Dec 2008 22:53:07 +0000 (UTC) Received: from mail1.optus.com.au (unknown [127.0.0.1]) by IMSA (Postfix) with ESMTP id B75A720F0B8 for ; Thu, 4 Dec 2008 09:53:04 +1100 (EST) Received: from chow2ke002.optus.com.au (unknown [161.43.32.103]) by mail1.optus.com.au (Postfix) with ESMTP id B36B820F0B3 for ; Thu, 4 Dec 2008 09:53:04 +1100 (EST) Received: from excprdhubw001.optus.com.au ([10.8.36.36]) by chow2ke002.optus.com.au with Microsoft SMTPSVC(6.0.3790.3959); Thu, 4 Dec 2008 09:53:04 +1100 Received: from excprdmbxw002.optus.com.au ([10.8.36.30]) by excprdhubw001.optus.com.au ([10.8.36.36]) with mapi; Thu, 4 Dec 2008 09:53:04 +1100 From: Adam Carter To: "gentoo-user@lists.gentoo.org" Date: Thu, 4 Dec 2008 09:54:14 +1100 Subject: RE: [gentoo-user] Curious pattern in log files from ssh... Thread-Topic: [gentoo-user] Curious pattern in log files from ssh... Thread-Index: AclVkOZ59H5Ks6lPQAmf65PLet4FLAABc7YQ Message-ID: <5602B0BD6D59AE4791BE83104940118D3BD1CF05@excprdmbxw002.optus.com.au> In-Reply-To: <4936FE82.9070509@shic.co.uk> Accept-Language: en-US, en-AU Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US, en-AU Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 X-OriginalArrivalTime: 03 Dec 2008 22:53:04.0592 (UTC) FILETIME=[E6B79D00:01C95599] X-TM-AS-Product-Ver: IMSS-7.0.0.3091-5.5.0.1026-16318.002 X-TM-AS-User-Approved-Sender: No X-TM-AS-Result-Xfilter: Match text exemption rules:Yes X-Archives-Salt: 93864fe6-ce82-46d8-af83-7498feab96c2 X-Archives-Hash: f3e51b20c06f6c27746d050e44966997 > I previously used denyhosts - but (I can't remember why) it became > preferable to block with IPtables rather than with > tcpwrappers... which > prompted me to dump it in favour of a bespoke script based upon > blacklist.py (http://blinkeye.ch/mediawiki/index.php/SSH_Blocking) - > though, now, I'm tempted by the more professional looking sshguard - > thanks for the tip. Of course, this doesn't really address > the problem > I posted about - because I'm now faced with a highly distributed > dictionary attack... Fail2ban is iptables based. From the website it now appears to have a map f= eature so if say you notice most of the attacks coming from China, and none= of you ssh useres are in China, you could perhaps block the entire country= with http://people.netfilter.org/~peejix/geoip/howto/geoip-HOWTO.html