On Wed, 16 Jul 2008 14:39:30 GMT, Unruh wrote:
> There are ssh password attacks on your system-- trying to see if any of
> your users ( or any users) have weak passwords.
> Ban this IP address from your system by placing the address into a line
> like
>
> sshd: 72.3.243.92 :deny
>
> Do that before any sshd line giving universal permission, and after a line
> giving special sites permission.
>
> sshd: 199.99.99.99 199.222.111. :allow
> sshd: 72.3.243.92 :deny
> sshd: ALL :allow
>
> This allows anyone from 199.99.99.99 and from the network 199.222.111.0 to
> 199.222.111.254 to use sshd, disallows 72.3.243.92, and allows anyone else.
> This is to make sure that noone accidentally from your special list ends up
> in the deny line ( it is always the first line which matches which applies)

And for anyone wondering where those lines might go, it would be
in /etc/hosts.allow if tcpwrappers is installed.

If using /etc/hosts.allow, I'll recommend creating /etc/hosts.deny with

#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!


ALL: ALL:\
spawn ( \
/bin/echo -e "\n\
TCP Wrappers\: Connection Refused\n\
By\: $(uname -n)\n\
Process\: %d (pid %p)\n\
\n\
User\: %u\n\
Host\: %c\n\
Date\: $(date)\n\
" | /bin/mail -s \"$(uname -n)\" root ) & : DENY

#*********************** end host.deny ********************************


That will email root with a message about attempts which get by hosts.allow.