[nycbug-talk] Analyzing malicious SSH login attempts

Trish Lynch trish at bsdunix.net
Tue Sep 12 15:37:11 EDT 2006

On Tue, 12 Sep 2006, csnyder wrote:

> I really wish the OpenSSH developers would address this issue in the
> server itself, by giving admins a lockout setting. I see absolutely no
> reason why hundreds of failed login attempts from the same IP address
> should be permitted as if it was standard procedure.

I 100% agree with this, its frustrating to have to rely upon self-made 
scripts and third-party apps to get penSSH to do what it should, which is 
lock out an IP/username after a certain amount of failed logins. Its not 
too hard to implement, and I'm sure we're not the only ones asking for it.

> Anyway, I use a php script that scans the log for multiple failed
> logins from a single IP, then sets a temporary firewall rule blocking
> access from that address.

Yes, there are plenty of "log watcher" type programs out there, but why 
not build this functionality within the daemon itself. Many other daemons 
have it....


Trish Lynch					   trish at bsdunix.net
Key fingerprint = 781D 2B47 AA4B FC88 B919  0CD6 26B2 1D62 6FC1 FF16

More information about the talk mailing list