Re: repeated failed logons and ignoring them

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Le lundi 26 juin 2006 à 15:44 -0400, tyche a écrit :
> On Monday 26 June 2006 08:11, Rob Sterenborg wrote:
> > On Mon, June 26, 2006 13:02, tyche wrote:
> > > over the last few days, my server has been attacked. i
> > > would like to limit remote logon attempts by address so
> > > that if someone tries to logon from an ip address and
> > > fails 3 times, my computer will ignore repeated attempts
> > > from that ip address. any idea how to make a rule for
> > > this?
> >
> > What type of logon? SSH, telnet, ...?
> 
> sorry, what comes from typing email when your still asleep. 
> most seem to be hitting my sshd, tho the username/password 
> combo leads me to believe that the person is using a database 
> to try to overload the server.
> 
> killed some pids that where owned by sshd and they kept 
> cropping up faster than i could kill them.

Installing pam_abl can be an eye-opener

/usr/sbin/pam_abl
Failed users:
...
    aaliyah (1)
        Not blocking
    aaron (9)
        Not blocking
    aarti (1)
        Not blocking
    ab (1)
        Not blocking
    aba (1)
        Not blocking
    abarisic (2)
        Not blocking
    abarros (1)
        Not blocking
    abb (1)
        Not blocking
    abbey (1)
        Not blocking
    abbey1 (1)
        Not blocking
    abbey123 (1)
        Not blocking
...   
    rooot (1)
        Not blocking
    root (367)
        Blocking users [!root]
    root-admin (5)
        Not blocking
    root-oliver (3)
        Not blocking
    root1 (1)
        Not blocking
...
Failed hosts:
...
    wpc0963.amenworld.com (3379)
        Not blocking
    yer91-3-82-245-132-80.fbx.proxad.net (168)
        Blocking users [*]

Meaning sometimes in the last two month wpc0963.amenworld.com tried to
do a brute-force attack with 3379 loggons - but it's old so the host is
allowed to try again, while yer91-3-82-245-132-80.fbx.proxad.net has
already passed the threshold and this is recent, so it's still blocked

This also shows few accounts except root are hammered, most malware just
try every account they can think of once, so non-trivial passwords help
a lot more than unusual account names

Regards,

-- 
Nicolas Mailhot

Attachment: signature.asc
Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux