On Mon, Jun 05, 2006 at 05:27:24PM +0200, Oliver Schmidt wrote: > > this seems to be a brute force attack, but one thing that worried me > > is why sshd didn't disconnect the remote host after 3 unsuccessful > > attemps? If we see in the log, there are many attemps with time > > interval between attemps of 2 or 3 seconds meaning that the sshd > > didn't disconnect the remote host after 3 attempts. > > So, first, Am I thinking correct about the sshd attempts? > > Second, how can I setup sshd or the entire system to permit just 2 or > > 3 attempts of authentication? I was checking the /etc/login.defs file > > and I see the following option:
Please tell me if I am wrong, but IIRC, each connection attempt to sshd calls one instance of login, so altough the LOGIN_RETRIES option sets 3 attempts before the program exits, an ip address is free to initiate another connection. There has been many discussions on this list in the past 18 months regarding this very issue (blocking brute-force ssh attempts). A search on gmane should give you some ideas about how to use iptables to filter out the offending ip addresses but limiting number of connections allowed per time period. > Try use Denyhosts ... no problem with bruteforce attacks anymore. Denyhosts > add the IP of the attacker to the /etc/hosts.deny file. > Install it with: > ACCEPT_KEYWORDS="~x86" emerge denyhosts > and add to your /etc/crontab > */10 * * * * root python /usr/bin/denyhosts -c /etc/denyhosts.conf > > Use it now for more then a year... its perfect to block bruteforce attacks. > Hey, this is a great program. If it were in portage earlier I wouldn't have needed to write my own solution to the problem. (I use a perl script to parse /var/log/pwdfail and drop the connection at the firewall.) According to the homepage of denyhosts, it should be able to run in daemon mode, by following the log file. Is there any reason you prefer running it in crontab instead of as a daemon? I am asking because judging from my past experiences, the attackers often send out multiple attempts per second, so a */10 would let in upwards of 30 attempts before denyhosts picks up. Best, W -- Willie W. Wong [EMAIL PROTECTED] brought to you by the Roman letter i, the Hebrew letter \aleph, the Greek letter \pi, and the non-letter \hbar -- gentoo-user@gentoo.org mailing list
