[nycbug-talk] Analyzing malicious SSH login attempts

Trish Lynch trish at bsdunix.net
Tue Sep 12 15:37:11 EDT 2006


On Tue, 12 Sep 2006, csnyder wrote:

>
> I really wish the OpenSSH developers would address this issue in the
> server itself, by giving admins a lockout setting. I see absolutely no
> reason why hundreds of failed login attempts from the same IP address
> should be permitted as if it was standard procedure.
>

I 100% agree with this, its frustrating to have to rely upon self-made 
scripts and third-party apps to get penSSH to do what it should, which is 
lock out an IP/username after a certain amount of failed logins. Its not 
too hard to implement, and I'm sure we're not the only ones asking for it.


> Anyway, I use a php script that scans the log for multiple failed
> logins from a single IP, then sets a temporary firewall rule blocking
> access from that address.
>

Yes, there are plenty of "log watcher" type programs out there, but why 
not build this functionality within the daemon itself. Many other daemons 
have it....

-Trish

-- 
Trish Lynch					   trish at bsdunix.net
Key fingerprint = 781D 2B47 AA4B FC88 B919  0CD6 26B2 1D62 6FC1 FF16



More information about the talk mailing list