From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1L7yDR-0006pX-CF for garchives@archives.gentoo.org; Wed, 03 Dec 2008 20:20:57 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id AE62EE03BD; Wed, 3 Dec 2008 20:19:16 +0000 (UTC) Received: from yw-out-1718.google.com (yw-out-1718.google.com [74.125.46.157]) by pigeon.gentoo.org (Postfix) with ESMTP id 71FFAE03BD for ; Wed, 3 Dec 2008 20:19:16 +0000 (UTC) Received: by yw-out-1718.google.com with SMTP id 5so1732531ywm.46 for ; Wed, 03 Dec 2008 12:19:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references :x-google-sender-auth; bh=HbGp0T7T2yn3h67PSzQmHco5ySi1ZkhWJLWes4z2YVE=; b=rEXQrIxHbDqsXt1gJYrFf3eQQV3J0j0YoJpgWhZ1uuPNlbmbjVszV0XYvWbZZjL/sq 5iOv34tfMCngD0SeubzQ0mWhWZnYIadMCFcxkPMXujELmKasHY+UoMYybIFs/lNfa910 adj4swWY4/xZrKWeI866TbObqsy//vEGT8u7Y= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references:x-google-sender-auth; b=lBBJoHlsNARA+gdo3EejrHD848OAZCupYcgHxveI2H4ysX19RJuIjtqGiorlpEfX5B AcFFZj6CMk0gaU0hjCcx+BOlMazDWJwhINJNaQiU+i2beX24WxKwbFILe4pL9Sn+xZDW sAgyYUuY8Ed4zhBLWNpx5AvhE8R92dj57mMpQ= Received: by 10.142.172.12 with SMTP id u12mr5534033wfe.186.1228335554668; Wed, 03 Dec 2008 12:19:14 -0800 (PST) Received: by 10.142.230.6 with HTTP; Wed, 3 Dec 2008 12:19:14 -0800 (PST) Message-ID: <58965d8a0812031219p60983e40p7b4beb7539835c70@mail.gmail.com> Date: Wed, 3 Dec 2008 14:19:14 -0600 From: "Paul Hartman" Sender: paul.hartman@gmail.com To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: Curious pattern in log files from ssh... In-Reply-To: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <4936E5E3.1040606@shic.co.uk> X-Google-Sender-Auth: ec2f8695ae2e0f53 X-Archives-Salt: 7c52b272-70c1-4b03-a086-29a90551f2a4 X-Archives-Hash: 6a83b00d090a753a81e2508646ff439f On Wed, Dec 3, 2008 at 2:16 PM, Nikos Chantziaras wrote: > Steve wrote: >> >> [...] >> Sure, I could use IPtables to block all these bad ports... or... I could >> disable password authentication entirely... but I keep thinking that >> there has to be something better I can do... any suggestions? > > I'm using DenyHosts to battle this. It adds the IPs to /etc/hosts.deny > after a configurable amount of failed logins. It even downloads an online > list of IPs where attacks originate from and uploads attacks to your box to > this list too (if you allow it in the configuration). > > After I installed this, no more brute-forcing :) I used to have thousands > per day. > > http://www.denyhosts.net > > It's in portage. The big botnet attacks are doing no more than 2 login attempts per IP, making stuff like denyhosts hard to use (unless you set it to ban after 1 login attempt, but that'll catch real users who make a typo)