too many illegal connection attempts through ssh

[Philip Hallstrom]

>>>> shown below is snapshot of too many illegal attempts to login to
>>>> my server from a suspicious hacker. this is taken from the
>>>> "/var/log/auth.log". my question is, how do i automatically block
>>>> an IP address if it is attempting to guess my login usernames?
>>>> can i configure the firewall to check the instances a certain IP
>>>> has attempted to access/ssh the sevrer, and if it has failed to
>>>> login for about "x" number of attempts, it will be blocked
>>>> automatically?
>>>
>>> This question is asked on the list ever so often - see the archives
>>> for suggestions. These are automated attacks, they come regularly
>>> as crackers, black hats or script kidies scan across the net.
>>
>> Does anybody know what robots beeing used? And on what systems? All
>> you mention later in your posting is true of course and I needn't
>> care about these logs, but it's like like somebody unknown puts 10
>> flyers in your letterbox every night. I'm sure, one night you'll hide
>> and build a trap for that person. I'm too lazy to enter those
>> net-circles for finding these robots, but maybe some other has
>> already done that?

I haven't done that, but if you don't like them you can block them fairly 
easily... I wrote a little script in PHP (not that it would be hard to 
re-write in perl or whatever) that watches /var/log/auth.log and if it 
sees an invalid login, it adds a firewall rule to block that IP.

Then I've got a separate cronjob that removes those firewall rules a 
couple minutes later.

Yes, I have locked myself out of my own server when I mistype my password, 
but I just wait a minute and it lets me back in.

I thought about modifying it so instead of outright blocking it, it put 
it into a pipe that limited it's bandwidth to almost nil just to hold the 
thing up a bit, but this works for me..

http://www.pjkh.com/sshmonitor/

-philip