Max wrote: > John Merritt wrote: > >> Hi, >> >> Thanks to everyone who responded. I learned a lot today. >> > > I found a cool project called DenyHosts that I just setup last evening > for this purpose. I haven't used it very long, but it was very easy to > setup, and seems to be working for me. I know it's cut down on the > invalid user logging in /var/log/secure in a matter of a day already, > and I've even left SSH traffic on port 22, just to make sure that it's > being hammered on. > > Check it out. > > <http://denyhosts.sourceforge.net/index.html> > > Max a very simple way of denying repeated ssh access after the first time is to replace the -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT line in /etc/syconfig/iptables with the following two lines (the mailer might wrap them): -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport ssh -m recent --name SSH --update --seconds 30 -j DROP -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport ssh -m recent --name SSH --set -j ACCEPT The only drawback is that a permitted user has to wait 30 seconds after the end of a ssh session before she can establish a new one. Works very well here. Kay