Hi. I would like to be able to deny IP address for too many failed login attemps (either from ssh, sftp, ftp, etc). The system I wish this to work on is an AIX 5.1 system. I'm new to AIX but I'm a linux user. There is a program for linux called fail2ban which reads from the log files and see if there are failed login attemps, and if there are enough (or it meets the conditions you specify) than it will do an action, such as denying all traffic from that IP. In linux this is done by adding the entry to the iptables, but I typed iptables in AIX and It (at least on the server we use) said it did not have such a command. So, does anyone know any program on AIX in which we can see where remote login attempts come from and if they fail many times in a short peorid of time we can ban that IP and drop an email to the sys admin telling them that someone was banned?
well we use a firewall to do most of our protection, however have you looked at:
smit user
Reset User's Failed Login Count
then or...
chsec -f /etc/security/lastlog -a "unsuccessful_login_count=0" -s 'kmj'
view /etc/security/lastlog
/kmj
kmj:
time_last_login = 1156789317
tty_last_login = /dev/pts/42
host_last_login = valued-827c7724
unsuccessful_login_count = 5
time_last_unsuccessful_login = 1166039821
tty_last_unsuccessful_login = /dev/pts/16
host_last_unsuccessful_login = user.domain.com
I know this will lock down your telnet users that fail to many times. sorry no ideas on the IP based.