[wplug] lousy european crackers
Drew from Zhrodague
drewzhrodague at hotmail.com
Mon Sep 27 12:36:54 EDT 2004
> Lately I've been getting numerous (i.e. >20) attempted logins from such
> accounts as root, daemon, www, news, uucp, etc from the same IP address on
> any given day (though the IP address changes from day to day). Is anyone
> aware of a configuration option for sshd that will freeze out a given IP
> address after a specified number of failed logins? Barring that, is there
> another way to achieve the same effect?
>
> FWIW, none of the non-user accounts, including root, are permitted to
> login over ssh.
Makes me think it would be useful to automate the reporting of this kind
of activity to the authorities -- spam too!
You can manually block their IP, write a script to do it, or use
logwatch. Personally, I find it best to look through my logs occasionally,
and deal with things as they come.
I get tons of script kiddies trying IIS exploits all day. I used to feed
them /usr/dict for each of their requests, but that just made my cable modem
connection slow. Now I just ignore them.
More information about the wplug
mailing list