I don't know if it is exactly what you are looking
but I know a lot of people that are using the Ossec
HIDS to block these attempts. It analyzes the logs in
real time and after a few number of failed logins or
invalid users from the same source IP, it blocks this
IP for a few minutes (default to 6 minutes). It is
very easy to install and can be helpful

*a new version has just been released


Daniel B. Cid
dcid @ ( at ) ossec.net

--- "Zembower, Kevin" escreveu:

> What's the current advice on dealing with scripts
> that repeatedly try to
> log onto SSH using a list of common usernames and
> 'password' for the
> password? I get up to 4,000 of these a day from a
> single server. In
> searching Google on this, I've learned of techniques
> using PAM and
> firewall rules that are created dynamically in
> response to log-in
> attempts.
> Can someone point out a link or tell me what they
> think are the best
> practices for dealing with this? Sooner or later,
> one of my users is
> going to have the unfortunate combination of a
> common user name and a
> bad password.
> Ideally, what I'd like would be a system that
> exponentially increases
> the timeout period after each repeated failed login
> attempt from the
> same host up to a maximum of 10-20 minutes before
> resetting.
> Thanks for your advice.
> -Kevin Zembower

__________________________________________________ _____
Novo Yahoo! Messenger com voz: Instale agora e faça ligações de graça.