On Sat, Mar 9, 2013 at 11:57 AM, Tilman Schmidt <t.schmidt at phoenixsoftware.de> wrote: > > Mar 3 04:44:48 gimli sshd[12870]: reverse mapping checking getaddrinfo > for hn.ly.kd.adsl failed - POSSIBLE BREAK-IN ATTEMPT! > Mar 3 04:44:49 gimli sshd[12871]: Received disconnect from > 61.163.113.72: 11: Bye Bye > > If I set "UseDNS no" the first message disappears and only the second > one remains. > > So it seems there is no way to identify password bruteforcing attempts > on servers which don't accept password authentication in the first > place. Can't you pick some reasonable number of 'received disconnect' messages to allow from a single IP? -- Les Mikesell lesmikesell at gmail.com