sshd behaviour when people are trying to break in

Mark Burton markb at ordern.com
Wed Nov 15 07:19:06 EST 2006


Hi,

When people try and break into my system from the internet I get lots
of messages like:

Nov 14 19:08:13 rook sshd[6333]: Failed password for invalid user guest from 210.83.48.238 port 40811 ssh2
Nov 14 19:08:19 rook sshd[6338]: Invalid user admin from 210.83.48.238
Nov 14 19:08:19 rook sshd[6338]: Failed password for invalid user admin from 210.83.48.238 port 40920 ssh2
Nov 14 19:08:24 rook sshd[6342]: Invalid user admin from 210.83.48.238
Nov 14 19:08:24 rook sshd[6342]: Failed password for invalid user admin from 210.83.48.238 port 40994 ssh2
Nov 14 19:08:29 rook sshd[6346]: Invalid user user from 210.83.48.238
Nov 14 19:08:29 rook sshd[6346]: Failed password for invalid user user from 210.83.48.238 port 41070 ssh2
Nov 14 19:08:35 rook sshd[6351]: Failed password for root from 210.83.48.238 port 41137 ssh2
Nov 14 19:08:40 rook sshd[6355]: Failed password for root from 210.83.48.238 port 41204 ssh2
Nov 14 19:08:45 rook sshd[6359]: Failed password for root from 210.83.48.238 port 41279 ssh2

It would be good if sshd could detect such break in attempts and
simply not accept the connections. I can imagine having a simple
mechanism that counts the number of login attempts from a given IP
address and if so many are attempted in a short time period, that IP
address is blacklisted for a while.

Is something like that possible?

Thanks,

Mark


More information about the openssh-unix-dev mailing list