| 1 |
On Mon, Jun 05, 2006 at 05:27:24PM +0200, Oliver Schmidt wrote: |
| 2 |
> > this seems to be a brute force attack, but one thing that worried me |
| 3 |
> > is why sshd didn't disconnect the remote host after 3 unsuccessful |
| 4 |
> > attemps? If we see in the log, there are many attemps with time |
| 5 |
> > interval between attemps of 2 or 3 seconds meaning that the sshd |
| 6 |
> > didn't disconnect the remote host after 3 attempts. |
| 7 |
> > So, first, Am I thinking correct about the sshd attempts? |
| 8 |
> > Second, how can I setup sshd or the entire system to permit just 2 or |
| 9 |
> > 3 attempts of authentication? I was checking the /etc/login.defs file |
| 10 |
> > and I see the following option: |
| 11 |
|
| 12 |
Please tell me if I am wrong, but IIRC, each connection attempt to sshd calls |
| 13 |
one instance of login, so altough the LOGIN_RETRIES option sets 3 attempts |
| 14 |
before the program exits, an ip address is free to initiate another connection. |
| 15 |
|
| 16 |
There has been many discussions on this list in the past 18 months regarding |
| 17 |
this very issue (blocking brute-force ssh attempts). A search on gmane should |
| 18 |
give you some ideas about how to use iptables to filter out the offending |
| 19 |
ip addresses but limiting number of connections allowed per time period. |
| 20 |
|
| 21 |
> Try use Denyhosts ... no problem with bruteforce attacks anymore. Denyhosts |
| 22 |
> add the IP of the attacker to the /etc/hosts.deny file. |
| 23 |
> Install it with: |
| 24 |
> ACCEPT_KEYWORDS="~x86" emerge denyhosts |
| 25 |
> and add to your /etc/crontab |
| 26 |
> */10 * * * * root python /usr/bin/denyhosts -c /etc/denyhosts.conf |
| 27 |
> |
| 28 |
> Use it now for more then a year... its perfect to block bruteforce attacks. |
| 29 |
> |
| 30 |
|
| 31 |
Hey, this is a great program. If it were in portage earlier I wouldn't have |
| 32 |
needed to write my own solution to the problem. (I use a perl script to |
| 33 |
parse /var/log/pwdfail and drop the connection at the firewall.) |
| 34 |
|
| 35 |
According to the homepage of denyhosts, it should be able to run in daemon mode, |
| 36 |
by following the log file. Is there any reason you prefer running it in crontab |
| 37 |
instead of as a daemon? I am asking because judging from my past experiences, |
| 38 |
the attackers often send out multiple attempts per second, so a */10 would |
| 39 |
let in upwards of 30 attempts before denyhosts picks up. |
| 40 |
|
| 41 |
Best, |
| 42 |
|
| 43 |
W |
| 44 |
-- |
| 45 |
Willie W. Wong |
| 46 |
wwong@××××××××××××××.edu |
| 47 |
brought to you by the Roman letter i, the Hebrew letter \aleph, the Greek |
| 48 |
letter \pi, and the non-letter \hbar |
| 49 |
-- |
| 50 |
gentoo-user@g.o mailing list |
Archives