Удеве си прегледах логовете от /var/spool/mail/root
и по-голямата част от тях изглежда така:
Примерен код |
ailed password for invalid user recruit from ::ffff:124.125.131.162 port 56336 ssh2 Failed password for invalid user recruit from ::ffff:124.125.131.162 port 56336 ssh2 Invalid user alias from ::ffff:124.125.131.162 input_userauth_request: invalid user alias Failed password for invalid user alias from ::ffff:124.125.131.162 port 56830 ssh2 Failed password for invalid user alias from ::ffff:124.125.131.162 port 56830 ssh2 Invalid user office from ::ffff:124.125.131.162 input_userauth_request: invalid user office Failed password for invalid user office from ::ffff:124.125.131.162 port 57625 ssh2 Failed password for invalid user office from ::ffff:124.125.131.162 port 57625 ssh2 Invalid user samba from ::ffff:124.125.131.162 input_userauth_request: invalid user samba Failed password for invalid user samba from ::ffff:124.125.131.162 port 58053 ssh2 Failed password for invalid user samba from ::ffff:124.125.131.162 port 58053 ssh2 Invalid user tomcat from ::ffff:124.125.131.162 input_userauth_request: invalid user tomcat Failed password for invalid user tomcat from ::ffff:124.125.131.162 port 58625 ssh2 Failed password for invalid user tomcat from ::ffff:124.125.131.162 port 58625 ssh2 Invalid user webadmin from ::ffff:124.125.131.162 input_userauth_request: invalid user webadmin Failed password for invalid user webadmin from ::ffff:124.125.131.162 port 59110 ssh2
|
Как да направя ако от даден IP адрес има примерно 3 поредни неуспешни опита за логване да му слага ban/ignore за 24 или 48 часа? Засега само съм направил таймаут 5 секунди на SSH-а, че да се спъне bruteforce-ването. Има ли друг начин за защита?