[Intrusions] SSH brute forcing attacks

[dk]

Benjamin Koch wrote:
> Hello Wojciech,
> 
> Nice idea to post a link with a list of blacklisted ddos zombies.
> Is there a way to keep my personal blacklist up to date with other
> blacklists?

I'd like this too, esp. just for hosts that are profiled/culled for 
certain behavior. i.e. for ssh brute-force/dictionary scanning.
I find maintaining blacklists by the "subject" of the transgression 
easier than one bulk one.


If anyone cares: I can post a small (but once active) brute force list 
that I gathered -- around 107 hosts. Simple requirements were/are that 
they must try >5 logins that resulted in a "Illegal user" attempt. I had 
the port open to all IP's (except a large section of the APNIC netblock) 
and am on a somewhat quite subnet.
Nothing fancy... never did any passive scanning to get OS, any heads 
thrown about, etc. Always meant to though. ;)

Thanks to "hakon" for the FIFO idea, I hadn't considered that approach 
for a high traffic solution; good idea.

-- 
dk