Instead of paying to block ip addresses, why dont you have your server set up so only you can access it from a specific IP address. Like a VPN. All other attempts other than your static ip address would be allowed.

Check out denyhosts [denyhosts.sourceforge.net], if you're running a Linux server. It won't do anything for IP addresses that you don't recognize, but you can use the above suggestion if you really want to clamp down. If it's a public web server, denyhosts does a great job.

[edited by: StupidScript at 10:00 pm (utc) on Sep. 12, 2006]

PM me for a script I've written. It watches the logs in real-time and when it finds X number of failed attempts from a single IP address it immediately writes out a new firewall rule (iptable or ipchains) and the attempts are immediately blocked.

You can define the number of attempts and its worked very well for my company. We've gone from hundreds, sometimes thousands, of attempts per day to 2-3 tops.

Each firewall rule is commented with the date/time so you can periodically clean out old rules. You can even define allowed IPs so you won't accidentially blacklist yourself!

I use fail2ban [fail2ban.sourceforge.net] for brute force login detection. It sends an email to you whenever an intruder is detected and blocks the intruder for a specified amount of time. Intruders are automatically whitelisted after that time to prevent the situation where you block your own access to the server by accidentaly entering a wrong passwords a few times. Most hackers have left by then and will try another less protected victim.

An intruder is defined by anyone who enters more than X wrong passwords within a specified amount of time. The script has decreased brute force SSH and FTP attacks to my servers to almost zero.

Most of the time blocking and logging IP's is futile as hundreds of proxies would be used during the attack.

Best to use a script to shut down ftp service for an hour when more than X login attempts hit.

If you can just set ftp / ssh to only allow

a) authorised IP address
b) authorised accounts only

And never allow root access.

Best to use a script to shut down ftp service for an hour

Then the hackers get what they want, a server initiated denial of service. :) I am sure hackers would love to know the IP address of your FTP server. Just 24 small attacks per day keeps that server totally unreachable.

Also, blocking FTP access is not possible in all situations. For many companies FTP access is just as vital as HTTP access (hosting facilities, large file downloads, etc)

Wow! Thx for the great array of ideas. Sysad is checking them out.

In the meantime we managed to almost eliminate the attacks through a simple change: changed the SSH port to 8022.