Re: attempts to hack in?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 2017-06-30 15:35, Ed Greshko wrote:

On 06/30/17 09:10, jdow wrote:

A rule like this makes cracking your 123456 password a whole lot harder without
changing anything else.
iptables -t filter -A IN_public_deny -p tcp --dport pop3s --syn -m recent --name
pop3s_attack --rcheck --seconds 90 --hitcount 2 -j LOG --log-prefix 'SSH2 REJECT: '
--log-level info

The magic is in "-m recent --rcheck --seconds 90 --hitcount 2". That means any
given site gets one chance to login before facing a 90 second blockage. If they
have to guess "AZBYCXDW" as a password you can imagine how long you have to catch
him in your log and explicitly block his whole subnet.



I once did rate limiting on brute force login attempts.  But I found that all the
attempts were scripted.  So instead of an attack from a single IP address happening
for a minute or so the attack simply went on for hours.  The same number of attempts
were made.
I have never seen the hours long attack. Back when I was just using the standard ssh port I'd see one hit, one try for a password, and about 10 to 1000 rapid fire hits on the ssh port all blocked. ONCE I saw symptoms of waiting for several minutes and trying again. I noticed it within 24 hours even though the dweeb only tried about 10 times. I blocked his entire IP block since it was in a country have no desire to ever visit.
I do keep watch. If a determined person starts at the time logwatch runs, notices the second try lockout, makes a VERY good guess of the time, and tries every 91 seconds that's under 1000 attempts before the next logwatch time and another 400ish times before I go through the report and notice the login attempts. Suppose the password is a nonsense word 5 to 8 characters long. How likely is he to be able to fuzz it within 1400 tries? I end up with a cluttered log and a blocked IP range before dweeble can go any further. I'd also equally quickly notice attempts from multiple IPs. In theory with thousands of sites pounding mine he could achieve access to a machine setup like mine on a pathetically slow DSL link in a few days. It would stand out in my logs like a huge red flare during a dark Moonless night. Emotionally I operate the firewall as if I had sshd with passworded root access open so that I watch it closely. I don't want to get complacent. (Long semi-nonsense passwords tend to do that, especially when you have throw-away accounts with such passwords that have not been cracked in the three decades I have been online from the old CPM days through to today.) 

{^_^}
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux