The apf firewall with bfd brute force detection will parse your /var/log/secure file and insert a block on any offending IP that tries repeated attacks according to your configuration. This checking is done every minute and it can email you a warning. I get these a few times a day and currently have almost 800 IPs blocked. Then of course if someone in a company that uses your system wants to make life difficult for colleagues, they can always promote a block but since you can keep the emails for ever and they list all the accounts tried, you have the evidence...:-) Have a look at http://www.r-fx.org and follow the links to apf and bfd. The software is available under GPL but there is also a service that can be purchased at reasonable rates. Best wishes John John Logsdon "Try to make things as simple Quantex Research Ltd, Manchester UK as possible but not simpler" j.logsdon at quantex-research.com a.einstein at relativity.org +44(0)161 445 4951/G:+44(0)7717758675 www.quantex-research.com On Fri, 30 Dec 2005, John Hinton wrote: > John Hinton wrote: > > > Had two nameservers crash in the last few hours... This 'never' > > happens! On the console was > > > > sent an invalid ICMP type 3, code 3 error to a broadcast: > > 255.255.255.255 on eth0 > > > > sent an invalid ICMP type 3, code 3 error to a broadcast: > > 255.255.254.255 on eth0 > > > > with the IP address of the offender? in front of that line. Any ideas? > > > > Best, > > John Hinton > > And a bit more info. > > Seems that maybe it just happened to be nameservers. Found this in the > logs repeated over and over for thousands of lines. > > Dec 30 16:00:24 cavebear vsftpd(pam_unix)[29588]: check pass; user unknown > Dec 30 16:00:24 cavebear vsftpd(pam_unix)[29588]: authentication > failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215 > Dec 30 16:00:26 cavebear vsftpd(pam_unix)[29590]: check pass; user unknown > Dec 30 16:00:26 cavebear vsftpd(pam_unix)[29590]: authentication > failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215 > Dec 30 16:00:26 cavebear vsftpd(pam_unix)[29588]: check pass; user unknown > Dec 30 16:00:26 cavebear vsftpd(pam_unix)[29588]: authentication > failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215 > Dec 30 16:00:29 cavebear vsftpd(pam_unix)[29588]: check pass; user unknown > Dec 30 16:00:29 cavebear vsftpd(pam_unix)[29588]: authentication > failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215 > Dec 30 16:00:29 cavebear vsftpd(pam_unix)[29590]: check pass; user unknown > Dec 30 16:00:29 cavebear vsftpd(pam_unix)[29590]: authentication > failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215 > Dec 30 16:00:32 cavebear vsftpd(pam_unix)[29588]: check pass; user unknown > Dec 30 16:00:32 cavebear vsftpd(pam_unix)[29588]: authentication > failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215 > Dec 30 16:00:32 cavebear vsftpd(pam_unix)[29590]: check pass; user unknown > Dec 30 16:00:32 cavebear vsftpd(pam_unix)[29590]: authentication > failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215 > Dec 30 16:00:35 cavebear vsftpd(pam_unix)[29588]: check pass; user unknown > Dec 30 16:00:35 cavebear vsftpd(pam_unix)[29588]: authentication > failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215 > Dec 30 16:00:35 cavebear vsftpd(pam_unix)[29590]: check pass; user unknown > Dec 30 16:00:35 cavebear vsftpd(pam_unix)[29590]: authentication > failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215 > Dec 30 16:00:37 cavebear vsftpd(pam_unix)[29588]: check pass; user unknown > Dec 30 16:00:37 cavebear vsftpd(pam_unix)[29588]: authentication > failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215 > Dec 30 16:00:38 cavebear vsftpd(pam_unix)[29590]: check pass; user unknown > Dec 30 16:00:38 cavebear vsftpd(pam_unix)[29590]: authentication > failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215 > Dec 30 16:00:40 cavebear vsftpd(pam_unix)[29588]: check pass; user unknown > Dec 30 16:00:40 cavebear vsftpd(pam_unix)[29588]: authentication > failure; logname= uid=0 euid=0 tty= ruser= rhost=210.95.162.215 > > Seems I'm experiencing a DoS against vsftp login. Anybody got a good way > to limit the number of failed login attempts by one IP address? > > Thanks, > John Hinton > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >