# Way to monitor and blacklist IP address?

## Biru

I was checking the log files on my gentoo server the other day and I came across a bunch of entries that were an obvious attempt at bruteforce entry, all from the same IP.  Is there any package/script I can use that recognises this kind of behaviour and adds the offending ip to a list of ips to ignore in future?

See pic:

http://img801.imageshack.us/img801/3249/stopthisguy.gif

----------

## Biru

For some reason imageshack appears to have screwed up the pic, but essentially it's just a list of failed login attempts every five seconds from the same ip using a series of names like test root administrator apache proftpd mysql and so on.

----------

## krinn

emerge -s denyhost fail2ban

fail2ban is more advance, but it always bug & works like bad for me

denyhost is simple but hey, it work & do the job

try them, get the one you prefer.

you can also just blacklist the ip yourself if you're in mood

echo sshd: 200..68.5.94 >> /etc/hosts.deny

or any 200 ip

echo sshd: 200.* >> /etc/hosts.deny

----------

## CurtE

It's not an answer but if I happen to be checking my stats at the time it's happening, I check the WhoIS of the IP address.

I have found a few businesses and college IP's in the list.  Notifying the Tech department generally is a wasted effort (they claimed it wasn't their system) but on a few occasions, I have received an e-mail that said it will not happen again.  Either they fixed the problem that allowed the incident or located the problem child.

Either way, one less problem.

----------

## Biru

Thanks, I'll give them a go.  :Smile: 

----------

