On Monday 04 April 2011 12:18:43 Rainer Traut wrote: > Hi, > > to prevent scripted dictionary attacks to sshd > I applied those iptables rules: > > -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent > --update --seconds 60 --hitcount 4 --name SSH --rsource -j DROP > -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent --set > --name SSH --rsource > > And this is part of logwatch: > > sshd: > Authentication Failures: > unknown (www.telkom.co.ke): 137 Time(s) > unknown (mkongwe.jambo.co.ke): 130 Time(s) > unknown (212.49.70.24): 107 Time(s) > root (195.191.250.101): 8 Time(s) > > How is it possible for an attacker to try to logon more then 4 times? > Can the attacker do this with only one TCP/IP connection without > establishing a new one? > Or have the scripts been adapted to this? The attackers are not trying constantly.. Just a few bursts of trys. Look at denyhosts ( http://denyhosts.sourceforge.net/ ). I also have a tool for protecting from brute force attacks called Hawk ( https://github.com/hackman/Hawk-IDS-IPS ). Marian > > Thx > Rainer > _______________________________________________ > CentOS mailing list > CentOS@xxxxxxxxxx > http://lists.centos.org/mailman/listinfo/centos -- Best regards, Marian Marinov
Attachment:
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos