Hi there,

After a few days' filtering I have caught 16 attempts:

root@deltree:~# firewall-check-ssh-fail -vf /var/log/messages
58.211.139.57
82.66.33.122
88.255.159.46
121.15.171.65
122.205.95.2
123.108.201.204
123.127.231.205
123.220.251.13
124.106.82.44
125.46.36.89
174.133.144.82
203.177.131.37
206.221.191.215
210.34.14.211
218.206.203.109
218.206.203.233

Mostly from China:
root@deltree:~# firewall-check-ssh-fail -vf /var/log/messages -c
58.208.0.0/12 # CN:China
82.64.0.0/14 # FR:France
88.224.0.0/11 # TR:Turkey
121.8.0.0/13 # CN:China
122.204.0.0/14 # CN:China
123.108.200.0/21 # IN:India
123.112.0.0/12 # CN:China
123.216.0.0/13 # JP:Japan
124.104.0.0/14 # PH:Philippines
125.40.0.0/13 # CN:China
174.132.0.0/15 # US:United States
203.177.128.0/18 # PH:Philippines
206.221.176.0/20 # US:United States
210.32.0.0/14 # CN:China
218.206.0.0/15 # CN:China
found 15 /usr/local/etc/ssh-ban-list offender IPs

Most of the time I was running the block-by-CIDR rules. The script merges
into the stored list on each run, has an option to replace the stored list.

Script is here: http://bugsplatter.id.au/firewall/fi...check-ssh-fail

Bash with awk helpers, -c (country names) option requires ip2cn-server, that
and the matching geolocation database tarball are also available, all GPLv2.

Grant.
--
http://bugsplatter.id.au/