--- "Zembower, Kevin" wrote:

> What's the current advice on dealing with scripts
> that repeatedly try to
> log onto SSH using a list of common usernames and
> 'password' for the
> password? I get up to 4,000 of these a day from a
> single server. In
> searching Google on this, I've learned of techniques
> using PAM and
> firewall rules that are created dynamically in
> response to log-in
> attempts.

I've seen systems where an entry is made in
/etc/hosts.allow for sshd: for the offending IP if too
many attempts are detected. But in order for this to
work, your sshd must be compiled with tcp_wrappers
I see this sort of attack a lot, and if the attacking
script hits a tcp wrapped ssh, it will stop
immediately. After a few minutes/hours, the entry can
be removed from hosts.allow (or not).

Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around