We do the same but there is an issues. One File::Tail delays polling the log for up to 30 seconds unless you tell it otherwise. So it will allow a number of attempts before reading the log. If you increase the polling you add load to the system. Not much but some. We like the idea of adding the timer to iptables along with logging so the address can be tracked. If the address comes back then it can be added to a permanent block. Phil On Mon, 2007-05-21 at 21:12, Robert Banz wrote: > On May 21, 2007, at 21:50, Daniel O'Connor wrote: > > > On Tuesday 22 May 2007 05:10, Matthew Schumacher wrote: > >> I'm getting some spammer trying to guess usernames and passwords: > > > > I use the following to protect my SSH server (well not the SSH server > > per se, just me reading logfiles the next day) > > > > http://www.gsoft.com.au/~doconnor/brute-force-mitigation.html > > > > Needs PF though. > > I take the approach of having a perl script (yay! File::Tail) sit and > watch the logs on each server looking for signs of ssh (could easily > be used for other things like pop as well) brute force attacks. A > certain # of failed logins in a time window from a single IP will > cause that IP to get blocked by ipfilter for an appropriate period of > time, after which the block is removed. This stops most of your > brute-force guessers; after a few tries of having their packets end > up on the floor, they go away. > > -rob > ---- > Cyrus Home Page: http://cyrusimap.web.cmu.edu/ > Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki > List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html