Auto-blocking SSH brute force attackers...

Discussion in 'Tomato Firmware' started by mcmilwj, Mar 6, 2008.

  1. mcmilwj

    mcmilwj Guest

    I'm running tomato 1.16 as my primary firewall at home and loving it. But I am seeing a lot of ssh brute force attempts like these:

    Feb 26 08:24:35 fw dropbear[1152]: Child connection from
    Feb 26 08:24:37 fw dropbear[1152]: exit before auth: Exited normally
    Feb 26 08:32:17 fw dropbear[1153]: Child connection from
    Feb 26 08:32:25 fw authpriv.warn dropbear[1153]: bad password attempt for 'root' from
    Feb 26 08:32:26 fw dropbear[1153]: exit before auth (user 'root', 1 fails): Disconnect received
    Feb 26 08:32:29 fw dropbear[1154]: Child connection from
    Feb 26 08:32:33 fw authpriv.warn dropbear[1154]: login attempt for nonexistent user from

    ... on and on. I have two questions about this:

    1) Is there a way to have attempted usernames (when they've tried something other than 'root') displayed in the log?

    2) I saw at some talk about using ipt_recent to automatically block single IPs on repeat inbound connections to a specific port in a configurable time frame (see the bottom of that page). Has anyone worked out how to do this on a recent version of tomato? If so, is it easy?

  2. roadkill

    roadkill Super Moderator Staff Member Member

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice