[opensuse] dictionary attacks



Just about every day, often several times a day, my logs include hours
of log entries that look like this:

Jul 16 00:35:25 raid5 sshd[6966]: Invalid user admin from 83.18.244.42
Jul 16 00:35:30 raid5 sshd[6968]: Invalid user admin from 83.18.244.42
Jul 16 00:35:35 raid5 sshd[6972]: Invalid user admin from 83.18.244.42
Jul 16 00:35:40 raid5 sshd[6974]: Invalid user admin from 83.18.244.42
Jul 16 00:35:56 raid5 sshd[6981]: Invalid user test from 83.18.244.42
Jul 16 00:36:01 raid5 sshd[6983]: Invalid user test from 83.18.244.42
Jul 16 00:36:06 raid5 sshd[6985]: Invalid user webmaster from 83.18.244.42
Jul 16 00:36:11 raid5 sshd[6987]: Invalid user username from 83.18.244.42
Jul 16 00:36:16 raid5 sshd[6989]: Invalid user user from 83.18.244.42
Jul 16 00:36:26 raid5 sshd[6994]: Invalid user admin from 83.18.244.42
Jul 16 00:36:31 raid5 sshd[6996]: Invalid user test from 83.18.244.42
Jul 16 00:36:51 raid5 sshd[7017]: Invalid user danny from 83.18.244.42
Jul 16 00:36:56 raid5 sshd[7019]: Invalid user alex from 83.18.244.42
Jul 16 00:37:01 raid5 sshd[7022]: Invalid user brett from 83.18.244.42
Jul 16 00:37:06 raid5 sshd[7024]: Invalid user mike from 83.18.244.42
Jul 16 00:37:12 raid5 sshd[7027]: Invalid user alan from 83.18.244.42
Jul 16 00:37:18 raid5 sshd[7029]: Invalid user data from 83.18.244.42
Jul 16 00:37:22 raid5 sshd[7031]: Invalid user www-data from 83.18.244.42
Jul 16 00:37:28 raid5 sshd[7033]: Invalid user http from 83.18.244.42
Jul 16 00:37:33 raid5 sshd[7037]: Invalid user httpd from 83.18.244.42
Jul 16 00:37:38 raid5 sshd[7040]: Invalid user pop from 83.18.244.42


..... and so on, ad nausium. Obviously, someone is trying to break in
to my system via SSH. So far as I can tell from examining my logs and
my systems (usually at least 4 other systems on my LAN are under
simultaneous attacks from the same source(s), the daemon is
successsfully withstanding the assault and the system is not compromised.

My question is what, if any firewall rule could I write that could
detect such attacks and automatically shut down forwarding packets from
the offending node or domain? That would give me an additional layer
of defense as well as freeing up a significant amount of log file space.

Thanks in advance,
Richard
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx