On Wed, Jan 30, 2008, Brian Mathis wrote: ... > >Log parsing scripts often don't provide the immediacy that rate >limiting does when under attack. You'd have to run the script >constantly parsing logs, since most ssh scans come in bursts. We use swatch for this and othter interesting events (e.g. NICs being put in promiscuous mode). It continually monitors one or more log files using gnu-tail in a perl script, and can do various things depending on a configuration file. It can send e-mail notifications and/or execute scripts which can do anything your heart desires. The fail2ban program has similar capabilities, and can block IP addresses attempting multiple connections using iptables. Personally I prefer swatch, but that's largely because I found it first and understand its configuration. We generally restrict ssh access to using authorized_keys, and use tcp_wrappers to further limit access by IP address. Roaming users can first establish a VPN connection using OpenVPN, then make any ssh connections vis the private VPN tunnel. Bill -- INTERNET: bill at celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 Many citizens because of their respect for what only appears to be a law are cunningly coerced into waiving their rights due to ignorance. -- U.S. v. Minker