On Sat, 18 Jun 2005, Mike Pepe wrote: > Thomas Cameron wrote: > > These attacks appear to me to fire multiple concurrent connections to > > get around the delay. > Possibly. I found a script out there and modified it a bit, this will > block the attacker after opening up 3 concurrent connections in 60 seconds: I prefer pam_abl myself: http://www.hexten.net/sw/pam_abl/index.mhtml It automatically blacklists IPs which fail more than X logins in a user-specified time. All attempts after that fail, even if the user+pass supplied is correct. Firewalling miscreants out is a dead giveaway for them, so they give up and immediately move on to the next victim. pam_abl is nice because it makes them waste their time. Jun 13 05:18:47 sasami pam_abl[7593]: Blocking access from 210.0.178.146 to service sshd, user root [...] Jun 16 04:44:15 sasami pam_abl[20188]: Blocking access from 202.76.92.199 to service sshd, user root [...] Jun 16 07:15:28 sasami pam_abl[40]: Blocking access from mail.estudio-jardo.com.ar to service sshd, user mysql Jun 16 07:31:33 sasami pam_abl[26812]: Blocking access from mail.estudio-jardo.com.ar to service sshd, user root Jun 16 07:31:38 sasami pam_abl[13388]: Blocking access from mail.estudio-jardo.com.ar to service sshd, user root Jun 16 07:31:43 sasami pam_abl[7209]: Blocking access from mail.estudio-jardo.com.ar to service sshd, user root <3 <3 <3 <3 <3 It warms the heart to watch all these criminals waste their time bouncing off your auto-blacklist. -Dan