On Sat, 2005-06-18 at 16:27, Dan Hollis wrote: > On Sat, 18 Jun 2005, Mike Pepe wrote: > > Thomas Cameron wrote: > > > These attacks appear to me to fire multiple concurrent connections to > > > get around the delay. > > Possibly. I found a script out there and modified it a bit, this will > > block the attacker after opening up 3 concurrent connections in 60 seconds: > > I prefer pam_abl myself: http://www.hexten.net/sw/pam_abl/index.mhtml > > It automatically blacklists IPs which fail more than X logins in a > user-specified time. All attempts after that fail, even if the user+pass > supplied is correct. > Excellent tip Dan, thanks a lot! -- Tarjei