No! It's my secret! Bu-Wa-Ha-Ha! (or however that's spelled...)
Okay, you forced it out of me...
http://linuxmafia.com/pub/linux/security/ssh-dictionary-attack-blacklist
:)
Sam Drinkard wrote:
Kirk,
If you don't mind, could you let me know where that script is? I'm seeing the same thing -- kiddies trying to log in. I use something similar, but manual entry on my mail server that is in a co-lo site running FreeBSD. Here at home, I thought I'd be pretty well protected behind the router, but I have to have the ssh port open, and I'm seeing hundreds of attempts. Thanks...
Sam
Kirk Bocek wrote:
Good question Alex. However, I've never studied the scripts that 'script kiddies' use and so have no answer.
Part of what has prompted this change is the recent surge of brute-force password attacks. From the timing of the password attempts, it's clear that these are script driven.
I found a perl script that watches for failed logins. After a configurable number, the script enters the IP address into /etc/hosts.deny. After a configurable number of days, the script then removes the IP address.
What I see in /var/log/secure is a whole series of 'Invalid user' messages followed by 'Failed password for invalid user' messages. These will then, because of the script, be terminated by a 'refused connect from' message when the address is entered into hosts.deny.
My point in all this is that I only ever see *one* 'refused connect' message. So at least for this script, it gives up when it can't connect anymore.
Kirk Bocek