I would like to make a suggestion.
Our daily logs are full of login attempts which we assume are by malicious users - for example:
Code: Select all
[02] Tue, 09 Aug 2011 01:21:39 (0000278) Closed session,disconnected from 217.42.161.5
[02] Tue, 09 Aug 2011 01:26:15 (0000279) Closed session,disconnected from 217.42.161.5
[02] Tue, 09 Aug 2011 03:40:22 (0000280) Connected from 218.29.115.152 (local address 84.12.188.229, port 22)
[01] Tue, 09 Aug 2011 03:40:24 (0000280) SSH session receive user name:root
[01] Tue, 09 Aug 2011 03:40:24 (0000280) SSH session receive password of user root
[01] Tue, 09 Aug 2011 03:40:24 (0000280) Username and password unmatched, the authentication will start again later.
[02] Tue, 09 Aug 2011 03:40:25 (0000280) Closed session,disconnected from 218.29.115.152. The reason is:Unable to complete handshake.
[02] Tue, 09 Aug 2011 03:40:25 (0000281) Connected from 218.29.115.152 (local address 84.12.188.229, port 22)
[01] Tue, 09 Aug 2011 03:40:28 (0000281) SSH session receive user name:root
[01] Tue, 09 Aug 2011 03:40:28 (0000281) SSH session receive password of user root
[01] Tue, 09 Aug 2011 03:40:28 (0000281) Username and password unmatched, the authentication will start again later.
[02] Tue, 09 Aug 2011 03:40:28 (0000281) Closed session,disconnected from 218.29.115.152. The reason is:Unable to complete handshake.
[02] Tue, 09 Aug 2011 03:40:28 (0000282) Connected from 218.29.115.152 (local address 84.12.188.229, port 22)
[01] Tue, 09 Aug 2011 03:40:31 (0000282) SSH session receive user name:root
[01] Tue, 09 Aug 2011 03:40:31 (0000282) SSH session receive password of user root
[01] Tue, 09 Aug 2011 03:40:31 (0000282) Username and password unmatched, the authentication will start again later.
Is there any chance you could add some sort of flood control to the software, so we can set a number of incorrect logins from a single IP before they get put on a temporary ban list? Perhaps if someone enters incorrect login details 5 times they receive a message in their FTP program saying they've been temporarily banned, and if they're accessing via the web interface then they see a similar message.
It would be good to have options that the administrator can set - for example I'd like to add the IP address to a permanent ban list instead of a temporary one, but I think other people might like to have it set to temporary instead, as well as be able to set the number of incorrect logins before the ban occurs.
A feature like this would certainly stop us getting anywhere near as many attempts to log in to our system and should also cut down on a bit of network traffic, even if it is just a small amount.
Thank you :)