Re: Automatic blocking of attackers' IP
From: FEEB (feeb_at_chem.utoronto.ca)
Date: Tue, 07 Sep 2004 13:12:47 -0400 (EDT)
On 7 Sep 2004 16:56:58 GMT, Mark A. Odell wrote:
>"FEEB" <firstname.lastname@example.org> wrote in
>>>> I would like to have the following scenario implemented on my
>>>> Someone tries repeatedly and illegally to log in as 'admin', 'root'
>>>> whatever from some IP using SSH (or any other means).
>>>Why not just set hosts.deny to ALL: ALL and then open up only those IPs
>>>domains you wish to allow in hosts.allow?
>> We must be open to anyone. That's our business :-)
>Ah. Then just put the bad IP or IP range into the hosts.deny. Of course
>this won't scale well for many IP addresses.
It would be quite inconvenient in our case of 4 full C-blocks.
The mechanism of blocking the intruder is available. However, I want to
do it automatically and only after the certain trigger level has been
reached. I know how to do it, I just do not want to reinvent the wheel.
Frank Bures, <email@example.com>