Does anyone know of a program that logs attempts to login into a webserver (ssh ofcoarse) and if the attempted login failures goes above a certain number (lets say 5) that it will simply disallow that host (the clients ip address) to continue to access the server via the ssh connection?

I found one off of howtoforge.com however it was only written in pascal and I dont really want to install those libraries to make it run. However if there isn't anything written in native C or C++ code that can be compiled with the GCC then I will just have to go with the pascal one...

any ideas?

you seen this? http://www.howtoforge.com/preventing...with_denyhosts ?

Take a look at the thread at the top of the forum on "Failed SSH Login Attempts". There are number of solutions/tools listed for stopping them.

I use this iptables:
$IPT -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_bruteforce:"
$IPT -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

iptables has been impressing me more and more recently... a login every 15 seconds doesn't sound too much like brute force though... I guess what the OP would then like is a block or more likely a long long drop rule pending too many hits

Seconds are up to you i think you can have a solid sshd server just configuring it the right way
PermitRootLogin no
AllowUsers userA userB userC
Protocol 2
LoginGraceTime 20s
MaxStartups 5
Banner /etc/ssh/sshd_banner
Most brute forcers progs take 22 as default and only port so change also default port
The first thing I like to do , is to add MD5 support to PAM applications, since this helps protects against dictionary cracks.install the libpam-cracklib and cracklib2 and configure /etc/pam.d/login /etc/pam.d/ssh and add this to all other applications you want protect:

password required pam_cracklib.so retry=3 minlen=12 difok=3
password required pam_unix.so use_authtok nullok md5

The first line loads the cracklib PAM module, which provides password strength-checking, prompts for a new password with a minimum length of 12 characters, a difference of at least 3 characters from the old password, and allows 3 retries
To make sure that the user root can only log into the system from local terminals, the following line should be enabled in /etc/pam.d/login

auth requisite pam_securetty.so

This restricts the system resources that users are allowed. For example, you could restrict the number of concurrent logins users may have.

Now edit /etc/pam.d/passwd and change the first line. You should add the option "md5" to use MD5 passwords, change the minimum length of password from 4 to 6 (or more) and set a maximum length, if you desire. The resulting line will look something like:

password required pam_unix.so nullok obscure min=6 max=11 md5

Imagine you only want to allow user 'ref' to login via ssh. So you put him into /etc/sshusers-allowed and write the following into /etc/pam.d/ssh:

auth required pam_listfile.so item=user sense=allow file=/etc/sshusers-allowed onerr=fail

Last, but not least, create /etc/pam.d/other and enter the following lines:

auth required pam_securetty.so
auth required pam_unix_auth.so
auth required pam_warn.so
auth required pam_deny.so
account required pam_unix_acct.so
account required pam_warn.so
account required pam_deny.so
password required pam_unix_passwd.so
password required pam_warn.so
password required pam_deny.so
session required pam_unix_session.so
session required pam_warn.so
session required pam_deny.so

These lines will provide a good default configuration for all applications that support PAM (access is denied per default)
Add this to login.defs:
FAIL_DELAY 10
If a wrong password is typed in, the possible attacker (or normal user!) has to wait for 10 seconds to get a new login prompt
If you enable this variable, failed logins will be logged. It is important to keep track of them to catch someone who tries a brute force attack.
LOG_UNKFAIL_ENAB yes
If you set the variable "FAILLOG_ENAB" to yes, then you should also set this variable to yes
SYSLOG_SU_ENAB yes
MD5_CRYPT_ENAB yes
As stated above, MD5 sum passwords greatly reduce the problem of dictionary attacks, since you can use longer passwords. Otherwise this is set in PAM.
PASS_MAX_LEN 50
If MD5 passwords are activated in your PAM configuration, then this variable should be set to the same value as used there.

look this links:

SSH Brute Force Attacks and Counter Measures

* http://isc.sans.org/diary.php?date=2004-11-04
* http://isc.sans.org/diary.php?date=2004-11-02
* http://isc.sans.org/diary.php?date=2004-09-11
* http://isc.sans.org/diary.php?date=2004-08-30
* http://isc.sans.org/diary.php?date=2004-08-29
* http://isc.sans.org/diary.php?date=2004-08-22
* http://seclists.org/lists/firewall-w.../Jun/0154.html
* http://www.counterpane.com/alert-cis20040910-1.html
* http://searchsecurity.techtarget.com...094140,00.html
* http://www.frsirt.com/exploits/08202004.brutessh2.c.php


Ok ?
Ciao !!!!!