Am 10.03.2013 03:01, schrieb Les Mikesell: > On Sat, Mar 9, 2013 at 11:57 AM, Tilman Schmidt > <t.schmidt@xxxxxxxxxxxxxxxxxx> wrote: >> >> Mar 3 04:44:48 gimli sshd[12870]: reverse mapping checking getaddrinfo >> for hn.ly.kd.adsl failed - POSSIBLE BREAK-IN ATTEMPT! >> Mar 3 04:44:49 gimli sshd[12871]: Received disconnect from >> 61.163.113.72: 11: Bye Bye >> >> If I set "UseDNS no" the first message disappears and only the second >> one remains. >> >> So it seems there is no way to identify password bruteforcing attempts >> on servers which don't accept password authentication in the first >> place. > > Can't you pick some reasonable number of 'received disconnect' > messages to allow from a single IP? Yes, I think that should work. I was worried that "received disconnect" messages might also appear for legitimate connections, but looking through my logs it seems that they don't. I have set it up as a test on one of my servers with a threshold of 15 attempts in 1000 secs now to see how it will fare. Thanks, Tilman -- Tilman Schmidt Phoenix Software GmbH Bonn, Germany
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
