Originally Posted by
stlu
I am looking into an IP-based ban script.
Fail2ban can do that but I just use a simple rate limiting rule like this:
http://www.debian-administration.org/articles/187
Do you think I am right about sshd giving out information about which usernames are valid?
Doubt it. I check my server via logwatch and if I forget to reenable my firewall for whatever reason, the report I get looks something like this:
Code:
--------------------- SSHD Begin ------------------------
Couldn't resolve these IPs:
10.173.72.37.static.swiftway.net [37.72.173.10]: 2 Time(s)
Didn't receive an ident from these IPs:
180.149.253.167: 1 Time(s)
222.240.161.179: 1 Time(s)
Illegal users from:
undef: 1019 times
root [preauth]: 980 times
Pos [preauth]: 10 times
pos [preauth]: 10 times
POS [preauth]: 4 times
aloha [preauth]: 4 times
ALOHA [preauth]: 2 times
ALOHA1 [preauth]: 1 time
Pos1 [preauth]: 1 time
Pos2 [preauth]: 1 time
Pos3 [preauth]: 1 time
crashplan [preauth]: 1 time
pos1 [preauth]: 1 time
pos2 [preauth]: 1 time
pos3 [preauth]: 1 time
rootjar [preauth]: 1 time
180.149.253.167: 37 times
Pos: 10 times
pos: 10 times
POS: 4 times
aloha: 4 times
ALOHA: 2 times
ALOHA1: 1 time
Pos1: 1 time
Pos2: 1 time
Pos3: 1 time
pos1: 1 time
pos2: 1 time
pos3: 1 time
222.240.161.179: 1 time
rootjar: 1 time
Login attempted when not in AllowUsers list:
root : 980 Time(s)
Received disconnect:
11: Bye Bye [preauth]
180.149.253.167 : 37 Time(s)
222.240.161.179 : 959 Time(s)
37.72.173.10 : 2 Time(s)
92.53.107.245 : 19 Time(s)
---------------------- SSHD End -------------------------
Or this.
Code:
--------------------- SSHD Begin ------------------------
SSHD Killed: 3 Time(s)
SSHD Started: 3 Time(s)
Couldn't resolve these IPs:
static.vdc.vn(123.30.127.253): 118 Time(s)
Illegal users from:
undef: 376 times
root [preauth]: 350 times
bin [preauth]: 10 times
oracle [preauth]: 4 times
crashplan [preauth]: 2 times
teamspeak [preauth]: 2 times
test [preauth]: 2 times
babalau [preauth]: 1 time
kylix [preauth]: 1 time
msr [preauth]: 1 time
nagios [preauth]: 1 time
postgres [preauth]: 1 time
zafir [preauth]: 1 time
123.30.127.253 (static.vdc.vn): 4 times
oracle: 3 times
test: 1 time
199.127.98.22 (199-127-98-22.static.avestadns.com): 6 times
teamspeak: 2 times
nagios: 1 time
oracle: 1 time
postgres: 1 time
test: 1 time
222.241.154.235: 4 times
babalau: 1 time
kylix: 1 time
msr: 1 time
zafir: 1 time
Login attempted when not in AllowUsers list:
bin : 10 Time(s)
root : 350 Time(s)
Received disconnect:
11: Bye Bye [preauth]
123.30.127.253 : 118 Time(s)
199.127.98.22 : 58 Time(s)
222.241.154.235 : 198 Time(s)
---------------------- SSHD End -------------------------
Both these snippets were reports for the previous day.
Bookmarks