1 |
On Mon, Jun 05, 2006 at 05:27:24PM +0200, Oliver Schmidt wrote: |
2 |
> > this seems to be a brute force attack, but one thing that worried me |
3 |
> > is why sshd didn't disconnect the remote host after 3 unsuccessful |
4 |
> > attemps? If we see in the log, there are many attemps with time |
5 |
> > interval between attemps of 2 or 3 seconds meaning that the sshd |
6 |
> > didn't disconnect the remote host after 3 attempts. |
7 |
> > So, first, Am I thinking correct about the sshd attempts? |
8 |
> > Second, how can I setup sshd or the entire system to permit just 2 or |
9 |
> > 3 attempts of authentication? I was checking the /etc/login.defs file |
10 |
> > and I see the following option: |
11 |
|
12 |
Please tell me if I am wrong, but IIRC, each connection attempt to sshd calls |
13 |
one instance of login, so altough the LOGIN_RETRIES option sets 3 attempts |
14 |
before the program exits, an ip address is free to initiate another connection. |
15 |
|
16 |
There has been many discussions on this list in the past 18 months regarding |
17 |
this very issue (blocking brute-force ssh attempts). A search on gmane should |
18 |
give you some ideas about how to use iptables to filter out the offending |
19 |
ip addresses but limiting number of connections allowed per time period. |
20 |
|
21 |
> Try use Denyhosts ... no problem with bruteforce attacks anymore. Denyhosts |
22 |
> add the IP of the attacker to the /etc/hosts.deny file. |
23 |
> Install it with: |
24 |
> ACCEPT_KEYWORDS="~x86" emerge denyhosts |
25 |
> and add to your /etc/crontab |
26 |
> */10 * * * * root python /usr/bin/denyhosts -c /etc/denyhosts.conf |
27 |
> |
28 |
> Use it now for more then a year... its perfect to block bruteforce attacks. |
29 |
> |
30 |
|
31 |
Hey, this is a great program. If it were in portage earlier I wouldn't have |
32 |
needed to write my own solution to the problem. (I use a perl script to |
33 |
parse /var/log/pwdfail and drop the connection at the firewall.) |
34 |
|
35 |
According to the homepage of denyhosts, it should be able to run in daemon mode, |
36 |
by following the log file. Is there any reason you prefer running it in crontab |
37 |
instead of as a daemon? I am asking because judging from my past experiences, |
38 |
the attackers often send out multiple attempts per second, so a */10 would |
39 |
let in upwards of 30 attempts before denyhosts picks up. |
40 |
|
41 |
Best, |
42 |
|
43 |
W |
44 |
-- |
45 |
Willie W. Wong |
46 |
wwong@××××××××××××××.edu |
47 |
brought to you by the Roman letter i, the Hebrew letter \aleph, the Greek |
48 |
letter \pi, and the non-letter \hbar |
49 |
-- |
50 |
gentoo-user@g.o mailing list |