You could also try using tcpwrappers along with iptables.
On 04/04/2011 06:34 AM, Marian Marinov wrote:
> On Monday 04 April 2011 12:18:43 Rainer Traut wrote:
>> Hi,
>>
>> to prevent scripted dictionary attacks to sshd
>> I applied those iptables rules:
>>
>> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent
>> --update --seconds 60 --hitcount 4 --name SSH --rsource -j DROP
>> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent --set
>> --name SSH --rsource
>>
>> And this is part of logwatch:
>>
>> sshd:
>> Authentication Failures:
>> unknown (www.telkom.co.ke): 137 Time(s)
>> unknown (mkongwe.jambo.co.ke): 130 Time(s)
>> unknown (212.49.70.24): 107 Time(s)
>> root (195.191.250.101): 8 Time(s)
>>
>> How is it possible for an attacker to try to logon more then 4 times?
>> Can the attacker do this with only one TCP/IP connection without
>> establishing a new one?
>> Or have the scripts been adapted to this?
>
> The attackers are not trying constantly.. Just a few bursts of trys.
>
> Look at denyhosts ( http://denyhosts.sourceforge.net/ ).
> I also have a tool for protecting from brute force attacks called Hawk (
> https://github.com/hackman/Hawk-IDS-IPS ).
>
> Marian
>>
>> Thx
>> Rainer
>> _______________________________________________
>> CentOS mailing list
>> CentOS@xxxxxxxxxx
>> http://lists.centos.org/mailman/listinfo/centos
>
>
>
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
