Re: ssh scans

To: David Wetzel <dave%turbocat.de@localhost>
Subject: Re: ssh scans
From: Rhialto <rhialto%falu.nl@localhost>
Date: Mon, 26 Oct 2009 21:54:05 +0100

On Mon 26 Oct 2009 at 12:42:57 -0700, David Wetzel wrote:
> Hi,
>
> I am seeing a lot of ssh scans and I am wondering if somebody has a  
> solution like adding the bad hosts temporary to pf.conf or so?

I use pam_af, which hooks into PAM. It is in pkgsrc: security/pam-af.
It blocks IP addresses that try (and fail) more than N logins in M
seconds for O time.

The bad guys try to get around this, however. I have seen login attempts
with fairly consistent interval from all kinds of different sources.
That clearly was coordinated, since the interval alwas was between 1 and
3 minutes.

I wish sshd would log passwords in these cases. I'm quite interested in
knowing which passwords they try.

-Olaf.
-- 
___ Olaf 'Rhialto' Seibert    -- You author it, and I'll reader it.
\X/ rhialto/at/xs4all.nl      -- Cetero censeo "authored" delendum esse.

Follow-Ups:
- Re: ssh scans
  - From: Philip

References:
- ssh scans
  - From: David Wetzel

Prev by Date: Re: ssh scans
Next by Date: Re: ssh scans
Previous by Thread: Re: ssh scans
Next by Thread: Re: ssh scans
Indexes:

Home | Main Index | Thread Index | Old Index