Re: Automatic blocking of attackers' IP

From: FEEB (
Date: 09/07/04

Date: Tue, 07 Sep 2004 13:12:47 -0400 (EDT)

On 7 Sep 2004 16:56:58 GMT, Mark A. Odell wrote:

>"FEEB" <> wrote in
>>>> I would like to have the following scenario implemented on my
>>>> 1.
>>>> Someone tries repeatedly and illegally to log in as 'admin', 'root'
>>>> whatever from some IP using SSH (or any other means).
>>>Why not just set hosts.deny to ALL: ALL and then open up only those IPs
>> or
>>>domains you wish to allow in hosts.allow?
>> We must be open to anyone. That's our business :-)
>Ah. Then just put the bad IP or IP range into the hosts.deny. Of course
>this won't scale well for many IP addresses.

It would be quite inconvenient in our case of 4 full C-blocks.

The mechanism of blocking the intruder is available. However, I want to
do it automatically and only after the certain trigger level has been
reached. I know how to do it, I just do not want to reinvent the wheel.

Frank Bures, <>