Rainer Traut wrote: > Am 04.04.2011 12:34, schrieb Marian Marinov: >>> How is it possible for an attacker to try to logon more then 4 times? >>> Can the attacker do this with only one TCP/IP connection without >>> establishing a new one? >>> Or have the scripts been adapted to this? >> >> The attackers are not trying constantly.. Just a few bursts of trys. >> >> Look at denyhosts ( http://denyhosts.sourceforge.net/ ). >> I also have a tool for protecting from brute force attacks called Hawk ( >> https://github.com/hackman/Hawk-IDS-IPS ). > > Ok, thanks to both of you, it seems the scripts getting better and better. > Will change my iptables rule to keep the blacklist for longer. May I highly commend to your attention fail2ban? We use it, and it works very well. Default is 3 from an IP, 5 for ssh, and it's banned for a configurable amount of time - default is 2 hours. And you can add additional filters. mark