easiest way with centos board tools is iptable recent module ...
simply limit the amount of connections a host is allowed to the ssh port
iptables -N SSHSCAN iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSHSCAN iptables -A SSHSCAN -m recent --set --name SSH iptables -A SSHSCAN -m recent --update --seconds 300 --hitcount 3 --name SSH -j DROP
limits each host to 3 connections within 5 minutes. enough to make bots stop and still not too annoying for users that mistype their password 3x3 times
On Mon, Jul 21, 2008 at 10:43 PM, Bo Lynch blynch@ameliaschools.com wrote:
just wanted to get some feedback from the community. Over the last few days I have noticed my web server and email box have attempted to ssh'd to using weird names like admin,appuser,nobody,etc.... None of these are valid users. I know that I can block sshd all together with iptables but that will not work for us. I did a little research on google and found programs like sshguard and sshdfilter. Just wanted to know if anyone had any experience with anything like these programs or have any other advice. I really appreciate it.
-- Bo Lynch
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos