[mythtv-users] ssh attack

chris at cpr.homelinux.net chris at cpr.homelinux.net
Fri Dec 30 05:39:34 EST 2005


On Fri, Dec 30, 2005 at 12:12:37AM -0500, George Nassas wrote:
> On 29-Dec-05, at 11:58 PM, Korey Fort wrote:
> >tracks log in attempts, if the
> >account/password is wrong a certain amount of times it will put it in
> >/etc/host.deny file and block them from attempting.
> That's a good idea in general but this particular fellow only tried a 
> given login once. Basically root / root then mythtv / mythtv then frank 
> / frank, etc...

You've missed the point.  These types of packages don't look for
multiple attempts at a single user name.  They simply watch the auth
logs and match failures to IPs.  Once an IP has accumulated a certain
number of failures within a specified time period, that IP address is
temporarily added to a firewall table to block all further connections.
In your case, root/root is the first failure, mythtv/mythtv is the
second failure, etc.

I use fail2ban to do the same thing.  It's highly configurable so you
can adjust the rules to match almost any kind of log file.

-- 
Joke template: Three guys walk into a bar. One of them is a wee bit
stupid, and the whole scene unfolds with a tedious inevitability.


More information about the mythtv-users mailing list