Thanks for the help. I completely missed that error.
This guy is persistent. After I cut off 220.232.152.137 we had intrusion
attempts from 216.107.171.10. After I cut off that one then we had
attempts from 69.80.235.135. Since blocking that network we have had no
more attempts recorded.
When I first detected this attempt I thought that my iptable ssh throttle
rules were somehow defective:
15 DROP tcp -- anywhere anywhere tcp
dpt:ssh state NEW recent: CHECK seconds: 15 name: THROTTLE side: source
16 ACCEPT tcp -- anywhere anywhere tcp
dpt:ssh state NEW recent: SET name: THROTTLE side: source
however, more careful consideration of the log entries showed that the
intruder was connecting every 23-24 seconds, which is outside the throttle
threshold of 15 seconds. I am still concerned about any brute force
attempt to discover the root password but, given no more than four
connections per minute is possible, just how concerned should I be?
It is evident that this attacker had more than one netblock available. It
is conceivable that, instead of serially attacking us, they could just
have easily attempted multiple simultaneous connections from all of their
available IP addresses. This would completely defeat the current throttle
rules. Should I also throttle the total number of new connections from
all IPs?
--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@xxxxxxxxxxxxx
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
