Hi,
Our primary router is under attack by a botnet. I see this sort of messages at the router console:
[admin@my-router] > /
echo: system,error,critical login failure for user ftpuser from 91.135.238.186 via ssh
[admin@my-router] > /
echo: system,error,critical login failure for user admin from 91.135.238.186 via ssh
[admin@my-router] > /
echo: system,error,critical login failure for user D-Link from 91.135.238.186 via ssh
Always in a series of three. Always the same usernames. Always from a new IP address.
My regular SSH brute-force rules don't kick in until four attempts and then only with a temporary ban.
Does anyone know how I could write rules to catch this attack and set a longer (or permanent) ban?
Thanks,
G