[CentOS] sshd: Authentication Failures: 137 Time(s)

Mon Apr 4 15:00:23 UTC 2011
Marian Marinov <mm at yuhu.biz>

Guys, 
really... look at denyhosts and Hawk.

Both projects analyze the logs of the service and check for failed login 
attempts.

It is useless to battle the bruteforcers at the network level since they can 
adapt their behaviour to really easy surcomvent any firewalls.

In order to protect your applications you should build on them. Every daemon 
now has a decent log capabilities. And you can simply tail the log constantly 
and detect which IPs should be blocked. And then block them promptly.

It is hard to find someone that will enter the wrong password more then 10 
times :)

I don't know for denyhosts, but Hawk removes the blocks every day and you can 
configure how long you want to keep a single IP blocked. This way you have 
better control over the automated block/unblock procedure.

If you need more information about Hawk, contact me.

Marian

On Monday 04 April 2011 17:18:58 Jason Brown wrote:
> You could also try using tcpwrappers along with iptables.
> 
> On 04/04/2011 06:34 AM, Marian Marinov wrote:
> > On Monday 04 April 2011 12:18:43 Rainer Traut wrote:
> >> Hi,
> >> 
> >> to prevent scripted dictionary attacks to sshd
> >> I applied those iptables rules:
> >> 
> >> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent
> >> --update --seconds 60 --hitcount 4 --name SSH --rsource -j DROP
> >> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent --set
> >> --name SSH --rsource
> >> 
> >> And this is part of logwatch:
> >> 
> >> sshd:
> >>      Authentication Failures:
> >>         unknown (www.telkom.co.ke): 137 Time(s)
> >>         unknown (mkongwe.jambo.co.ke): 130 Time(s)
> >>         unknown (212.49.70.24): 107 Time(s)
> >>         root (195.191.250.101): 8 Time(s)
> >> 
> >> How is it possible for an attacker to try to logon more then 4 times?
> >> Can the attacker do this with only one TCP/IP connection without
> >> establishing a new one?
> >> Or have the scripts been adapted to this?
> > 
> > The attackers are not trying constantly.. Just a few bursts of trys.
> > 
> > Look at denyhosts ( http://denyhosts.sourceforge.net/ ).
> > I also have a tool for protecting from brute force attacks called Hawk (
> > https://github.com/hackman/Hawk-IDS-IPS ).
> > 
> > Marian
> > 
> >> Thx
> >> Rainer
> >> _______________________________________________
> >> CentOS mailing list
> >> CentOS at centos.org
> >> http://lists.centos.org/mailman/listinfo/centos
> > 
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

-- 
Best regards,
Marian Marinov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.centos.org/pipermail/centos/attachments/20110404/554a2b34/attachment-0005.sig>