BFD, general brute force detection from log monitoring; sshd example uses $13; readily changeable to $(NF-3) authfail appears also to be a possibility; again, parses on user text that could be spoofed, but a nifty implementation otherwise. http://mandrake.vmlinuz.ca/bin/view/Main/SSH - script uses iptables, uses $13 Macintouch article on ssh monitoring, uses sed, but examples parse on $9, $7, and words that could come from user input.
Turns out there is one sshd patch out there for counting bad logins over time and locking out by IP. I haven't read the code or tested it.
no subject
BFD, general brute force detection from log monitoring; sshd example uses $13; readily changeable to $(NF-3)
authfail appears also to be a possibility; again, parses on user text that could be spoofed, but a nifty implementation otherwise.
http://mandrake.vmlinuz.ca/bin/view/Main/SSH - script uses iptables, uses $13
Macintouch article on ssh monitoring, uses sed, but examples parse on $9, $7, and words that could come from user input.
Turns out there is one sshd patch out there for counting bad logins over time and locking out by IP. I haven't read the code or tested it.
Summary of ssh lockdown issues: http://aplawrence.com/Bofcusm/2507.html