[SLL] bad login attempts

Paul A. Franz, P.E. paul at eucleides.com
Sun Jul 20 15:05:46 PDT 2008 

Some days I get hit with many thousands of login probes. A clip of a few entries from
the logs follows. I've got a couple of questions.

1) Should "lastb -a" show anything for all these? I show none.

2) I'm thinking that I'd like to use IPTables to drop all traffic from that IP once a
specified count of bad logins has occurred within say, 1 minute. Any suggestions on
how to do this?


   gerrard/password from 222.73.37.221: 1 Time(s)
   gerry/password from 222.73.37.221: 1 Time(s)
   gertrud/password from 222.73.37.221: 1 Time(s)
   gertrude/password from 222.73.37.221: 1 Time(s)
   gest/password from 85.199.174.69: 1 Time(s)
   get/password from 222.237.77.33: 1 Time(s)
   get/password from 222.73.37.221: 1 Time(s)
   gg/password from 222.237.77.33: 1 Time(s)
   ggarcia/password from 85.199.174.69: 1 Time(s)
   gia/password from 222.73.37.221: 1 Time(s)
   gianluca/password from 222.237.77.33: 1 Time(s)
   gib/password from 222.73.37.221: 1 Time(s)
   gibson/password from 222.73.37.221: 1 Time(s)
   gil/password from 222.73.37.221: 1 Time(s)
   gilbert/password from 222.73.37.221: 1 Time(s)
   gilberto/password from 85.199.174.69: 3 Time(s)
   gillian/password from 222.73.37.221: 1 Time(s)
   gimcre/password from 85.199.174.69: 1 Time(s)
   gina/password from 222.73.37.221: 1 Time(s)
   ginger/password from 85.199.174.69: 1 Time(s)
   ginnie/password from 222.73.37.221: 1 Time(s)
   giopre/password from 85.199.174.69: 1 Time(s)
   giorgia/password from 85.199.174.69: 1 Time(s)
   giovanni/password from 222.73.37.221: 1 Time(s)
   girl/password from 222.237.77.33: 1 Time(s)
   gisela/password from 222.73.37.221: 1 Time(s)
   giselle/password from 222.73.37.221: 1 Time(s)
   gladys/password from 222.73.37.221: 1 Time(s)
   glen/password from 222.73.37.221: 1 Time(s)
   glen/password from 85.199.174.69: 1 Time(s)
   glenn/password from 222.73.37.221: 1 Time(s)
   global/password from 222.73.37.221: 1 Time(s)
   gloria/password from 85.199.174.69: 1 Time(s)

-- 
Paul A. Franz, P.E.
PAF Consulting Engineers
Office 425.641.8202
FAX 425.641.1773
Cell 425.241.1618

More information about the linux-list mailing list