[CentOS] sshd: Authentication Failures: 137 Time(s)
David Sommerseth
dazo at users.sourceforge.net
Mon Apr 4 14:04:26 UTC 2011
On 04/04/11 15:35, henry ritzlmayr wrote:
> Am Montag, den 04.04.2011, 15:07 +0200 schrieb Rainer Traut:
>> Am 04.04.2011 12:34, schrieb Marian Marinov:
>>>> How is it possible for an attacker to try to logon more then 4 times?
>>>> Can the attacker do this with only one TCP/IP connection without
>>>> establishing a new one?
>>>> Or have the scripts been adapted to this?
>>>
>>> The attackers are not trying constantly.. Just a few bursts of trys.
>>>
>>> Look at denyhosts ( http://denyhosts.sourceforge.net/ ).
>>> I also have a tool for protecting from brute force attacks called Hawk (
>>> https://github.com/hackman/Hawk-IDS-IPS ).
>>
>> Ok, thanks to both of you, it seems the scripts getting better and better.
>> Will change my iptables rule to keep the blacklist for longer.
>>
>> Thx
>> Rainer
>
> Also check MaxAuthTries in /etc/ssh/sshd_config
>
> Specifies the maximum number of authentication attempts permitted per
> connection.
That won't do too much. It only tells the ssh server how many attempts to
accept before closing the TCP connection. The attacker can still just
re-connect and try again, which is what usually happens during these
attempts. Of course, setting MaxAuthTries to 1, will slow the attacker a
little bit down, as it needs to re-establish the SSH connection again.
Moving over to disallowing password authentication and only use pubkey with
~/.ssh/authorized_keys is probably going to do a better job securing the
server.
kind regards,
David Sommerseth
More information about the CentOS
mailing list