I recently had the joy of getting some really strange scans and connection attempts from boxes over in china..they randomly scan my ports and try about 100 different SSH login names. It's a pretty standard attack, really. However I want to change my stance a bit - from just letting these fail, into "I will blacklist your IP from all connection attempts in the future (using iptables) "

I want to start denying these posessed servers the option of DoS-ing my machine. By the way, its just a DMZ public host so it must accept connections from all over and some SSH from management. Is there a way of writing up a little script that checks for the repeated attempts and then creates a rule in iptables? Or is snort my only option?

dank you.

Portsentry is another option you could look at. But you cannot use it to monitor a service that is already running on your box.

Do keep in mind that you stand the risk of blocking valid connections to your box because crackers often spoof IP addresses. For example, think of what would happen if the hacker used a spoofed the IP address of your upstream DNS. In short, auto-blacklisting is a bad idea. Avoid it if you can. Better to just log and manually block someone if you find them being too aggressive and repetitive.

Maybe a bit offtopic:
But it is better not to use the standard SSH-port, but another one (You can explain even a manager howto use another port on his SSH-client) and the best solution is not to use passwords for SSH, but GPG-Keys. In most cases it gives more security, and the manager won't have to remember his birthdate as password :D

I would use firestarter you can deny ping request thus stopping the scanning also it shows you in real time the ips that are hitting you and what port they are trying then if you see one that is repeatedly trying to get in then just right click on it and add to the block list. Its that easy and it works great!
http://www.fs-security.com/ just go there and get it its in a rpm for fedora.

I recently had the joy of getting some really strange scans and connection attempts from boxes over in china..they randomly scan my ports and try about 100 different SSH login names. It's a pretty standard attack, really. However I want to change my stance a bit - from just letting these fail, into "I will blacklist your IP from all connection attempts in the future (using iptables) "

I want to start denying these posessed servers the option of DoS-ing my machine. By the way, its just a DMZ public host so it must accept connections from all over and some SSH from management. Is there a way of writing up a little script that checks for the repeated attempts and then creates a rule in iptables? Or is snort my only option?

dank you.

I see the same thing from China and India all the time. I see them looking for the same usernames over and over again. What a retarded script they are using!

I set up SNORT and Tripwire and monitor the /var/log/secure and nightly cron outputs for attacks.

If I get someone who is really annoying, I just add their network to IPTABLES and reject their SSH access. I keep meaning to add a rule to IPTABLES to block SSH if you're not from certain networks, but I am too busy to research how to do it!