Tim Green wrote:
On 7/6/06, Laurie Brown laurie@brownowl.com wrote:
We get a lot (read thousands a day) of these lines in logs on all the machines we support, including our own:
Jul 6 16:53:24 xxx sshd[1628]: Invalid user chris from 202.202.43.110
It's a script kiddie trying to take advantage of an exploit in SSH. We use key-based authentication only, on SSH V2, so no real risk there, but it's annoying.
I use "ssh block", which I would tell the URL, except my google foo has failed me, and my working example is switched off due to excessive heat. It works by blocking the IP with iptables for a few days after 4 failed attempts. Can be white listed, of course.
It's not practical to use iptables on every machine like that, whereas the route command is simple and immediately effective on the machine being attacked.
Thanks for the link to "ssh block", I'll have a look and see if I can hack it a bit.
Cheers, Laurie.