[Techtalk] 216 ssh login attempts, what to do?

[John Stoneham]

> > But the OP's idea of blocking any log-in attempts from an IP with,
> > say, three failed attempts in a short space of time seems an excellent
> > one, yet nobody has addressed this.
> 
> And a way to autounblock those. Maybe a modification of a
> POP-before-SMTP script would help? Know Perl?

There's also the relatively new concept of port knocking which can be used to
open normally closed ports if you know how to get in. Maybe port 22's
normally closed to all inbound traffic, but if you first try (and fail) to
connect on port 22455, it will open 22 just for your IP.

Of course this is really only a layer of security by obscurity, but it will
cut your server out of automated attacks entirely (that is, until the attack
bots learn to knock on ports before trying to break in...).

Check http://www.portknocking.org/ for more information.

- John