1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Auto-blocking SSH brute force attackers...

Discussion in 'Tomato Firmware' started by mcmilwj, Mar 6, 2008.

  1. mcmilwj

    mcmilwj Guest

    I'm running tomato 1.16 as my primary firewall at home and loving it. But I am seeing a lot of ssh brute force attempts like these:

    Feb 26 08:24:35 fw authpriv.info dropbear[1152]: Child connection from
    Feb 26 08:24:37 fw authpriv.info dropbear[1152]: exit before auth: Exited normally
    Feb 26 08:32:17 fw authpriv.info dropbear[1153]: Child connection from
    Feb 26 08:32:25 fw authpriv.warn dropbear[1153]: bad password attempt for 'root' from
    Feb 26 08:32:26 fw authpriv.info dropbear[1153]: exit before auth (user 'root', 1 fails): Disconnect received
    Feb 26 08:32:29 fw authpriv.info dropbear[1154]: Child connection from
    Feb 26 08:32:33 fw authpriv.warn dropbear[1154]: login attempt for nonexistent user from

    ... on and on. I have two questions about this:

    1) Is there a way to have attempted usernames (when they've tried something other than 'root') displayed in the log?

    2) I saw at http://www.macsat.com/macsat/content/view/62/30/ some talk about using ipt_recent to automatically block single IPs on repeat inbound connections to a specific port in a configurable time frame (see the bottom of that page). Has anyone worked out how to do this on a recent version of tomato? If so, is it easy?

  2. roadkill

    roadkill Super Moderator Staff Member Member

Share This Page