I need help with a firewall idea I'm having.
When I look at the messages log of my machines all I see is this. I know this is a waste of bandwidth and what if they actually guess the correct password!?
Code:
Dec 2 15:57:36 dev sshd(pam_unix)[18762]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=84.17.80.230
Dec 2 15:57:45 dev sshd(pam_unix)[18764]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=84.17.80.230 user=bin
Dec 2 15:57:54 dev sshd(pam_unix)[18766]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=84.17.80.230 user=daemon
Dec 2 15:58:03 dev sshd(pam_unix)[18768]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=84.17.80.230 user=lp
Dec 2 15:58:12 dev sshd(pam_unix)[18770]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=84.17.80.230 user=sync
Dec 2 15:58:22 dev sshd(pam_unix)[18772]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=84.17.80.230 user=shutdown
Dec 2 15:58:31 dev sshd(pam_unix)[18774]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=84.17.80.230 user=halt
Dec 2 15:58:40 dev sshd(pam_unix)[18776]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=84.17.80.230 user=uucp
Dec 2 15:58:50 dev sshd(pam_unix)[18778]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=84.17.80.230 user=smmsp
Dec 2 15:58:59 dev sshd(pam_unix)[18780]: check pass; user unknown
Dec 2 15:58:59 dev sshd(pam_unix)[18780]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=84.17.80.230
Dec 2 15:59:08 dev sshd(pam_unix)[18782]: check pass; user unknown
Dec 2 15:59:08 dev sshd(pam_unix)[18782]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=84.17.80.230
Dec 2 15:59:17 dev sshd(pam_unix)[18784]: check pass; user unknown
Dec 2 15:59:17 dev sshd(pam_unix)[18784]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=84.17.80.230
Dec 2 15:59:26 dev sshd(pam_unix)[18786]: check pass; user unknown
Dec 2 15:59:26 dev sshd(pam_unix)[18786]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=84.17.80.230
Dec 2 15:59:35 dev sshd(pam_unix)[18788]: check pass; user unknown
Dec 2 15:59:35 dev sshd(pam_unix)[18788]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=84.17.80.230
Dec 2 15:59:44 dev sshd(pam_unix)[18790]: check pass; user unknown
Dec 2 15:59:44 dev sshd(pam_unix)[18790]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=84.17.80.230
Dec 2 15:59:54 dev sshd(pam_unix)[18792]: check pass; user unknown
Dec 2 15:59:54 dev sshd(pam_unix)[18792]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=84.17.80.230
Dec 2 16:00:03 dev sshd(pam_unix)[18794]: check pass; user unknown
Dec 2 16:00:03 dev sshd(pam_unix)[18794]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=84.17.80.230
Dec 2 16:00:12 dev sshd(pam_unix)[18796]: check pass; user unknown
Dec 2 16:00:12 dev sshd(pam_unix)[18796]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=84.17.80.230
Dec 2 16:00:21 dev sshd(pam_unix)[18798]: check pass; user unknown
Dec 2 16:00:21 dev sshd(pam_unix)[18798]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=84.17.80.230
Dec 2 16:00:30 dev sshd(pam_unix)[18800]: check pass; user unknown
Dec 2 16:00:30 dev sshd(pam_unix)[18800]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=84.17.80.230
Dec 2 16:00:39 dev sshd(pam_unix)[18802]: check pass; user unknown
Anyways. I ushual block these IP addresses after the fact using
Code:
iptables -I INPUT -s 84.17.80.230 -d 0/0 -j DROP
I like just dropping their packets
But I'm doing this way after the fact and they will probably never try again. So what is the point?
So I was thinking, is there a way to have iptables add that rule after someone tries to login unsuccessfully 4 or 5 times?
