There's a nice package called "fail2ban" on Sourceforge. It works with
the logs of various programs including ssh, apache, etc. and uses
iptables or hosts.deny to block IPs for a period after a specified
number of failures.

It's written in python and is pretty easy to configure for other
firewalls and logs.

-Seren Thompson

-----Original Message-----
From: Zembower, Kevin []=20
Sent: Tuesday, March 28, 2006 7:13 AM
Subject: Advice on dealing with scripted SSH attacks?

What's the current advice on dealing with scripts that repeatedly try to
log onto SSH using a list of common usernames and 'password' for the
password? I get up to 4,000 of these a day from a single server. In
searching Google on this, I've learned of techniques using PAM and
firewall rules that are created dynamically in response to log-in

Can someone point out a link or tell me what they think are the best
practices for dealing with this? Sooner or later, one of my users is
going to have the unfortunate combination of a common user name and a
bad password.=20

Ideally, what I'd like would be a system that exponentially increases
the timeout period after each repeated failed login attempt from the
same host up to a maximum of 10-20 minutes before resetting.

Thanks for your advice.

-Kevin Zembower