Unruh wrote:

> gtu2003@alice.it writes:
>
>>In my /var/log/messages I have a lot (6000+) of:
>
>>Jul 16 12:51:20 sole sshd[6669]: Invalid user clamav from 72.3.243.92
>>Jul 16 12:51:21 sole sshd[6671]: Invalid user appserver from 72.3.243.92
>>Jul 16 12:51:23 sole sshd[6673]: Invalid user mailman from 72.3.243.92
>>Jul 16 12:51:25 sole sshd[6675]: Invalid user cyrusimap from 72.3.243.92
>>Jul 16 12:51:27 sole sshd[6677]: Invalid user qtss from 72.3.243.92
>>Jul 16 12:51:28 sole sshd[6679]: Invalid user eppc from 72.3.243.92
>>Jul 16 12:51:30 sole sshd[6681]: Invalid user telnetd from 72.3.243.92
>>Jul 16 12:51:32 sole sshd[6683]: Invalid user identd from 72.3.243.92
>>Jul 16 12:51:33 sole sshd[6685]: Invalid user gnats from 72.3.243.92
>>Jul 16 12:51:35 sole sshd[6687]: Invalid user jeff from 72.3.243.92
>>Jul 16 12:51:37 sole sshd[6689]: Invalid user irc from 72.3.243.92
>
> There are ssh password attacks on your system-- trying to see if any of
> your users ( or any users) have weak passwords.
> Ban this IP address from your system by placing the address into a line
> like
>
> sshd: 72.3.243.92 :deny
>
> Do that before any sshd line giving universal permission, and after a line
> giving special sites permission.
>
> sshd: 199.99.99.99 199.222.111. :allow
> sshd: 72.3.243.92 :deny
> sshd: ALL :allow
>
> This allows anyone from 199.99.99.99 and from the network 199.222.111.0
> to 199.222.111.254 to use sshd, disallows 72.3.243.92, and allows anyone
> else. This is to make sure that noone accidentally from your special list
> ends up in the deny line ( it is always the first line which matches which
> applies)
>
>
>>what is it? I need to write to something like abuse@72.3.243.92 ?
>
> You can try. It probably will not do any good. I now have 140 IP addresses
> in my hosts.allow file who are banned from my site for behaviour like
> this.

Thank you very much. Someone know a simple script that do the follow:
* watch in the logs
* if there is a lot of invalid access from an Ip it block only this ip for an hour