Re: sshd: Authentication Failures: 137 Time(s)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Monday 04 April 2011 12:18:43 Rainer Traut wrote:
> Hi,
> 
> to prevent scripted dictionary attacks to sshd
> I applied those iptables rules:
> 
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent
> --update --seconds 60 --hitcount 4 --name SSH --rsource -j DROP
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent --set
> --name SSH --rsource
> 
> And this is part of logwatch:
> 
> sshd:
>      Authentication Failures:
>         unknown (www.telkom.co.ke): 137 Time(s)
>         unknown (mkongwe.jambo.co.ke): 130 Time(s)
>         unknown (212.49.70.24): 107 Time(s)
>         root (195.191.250.101): 8 Time(s)
> 
> How is it possible for an attacker to try to logon more then 4 times?
> Can the attacker do this with only one TCP/IP connection without
> establishing a new one?
> Or have the scripts been adapted to this?

The attackers are not trying constantly.. Just a few bursts of trys.

Look at denyhosts ( http://denyhosts.sourceforge.net/ ). 
I also have a tool for protecting from brute force attacks called Hawk ( 
https://github.com/hackman/Hawk-IDS-IPS ).

Marian
> 
> Thx
> Rainer
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos

-- 
Best regards,
Marian Marinov

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux