[CentOS] CentOS 5 sshd does not log IP address of reverse mapping failure [solved, I guess]

Sun Mar 10 13:12:13 UTC 2013
Tilman Schmidt <t.schmidt at phoenixsoftware.de>

Am 10.03.2013 03:01, schrieb Les Mikesell:
> On Sat, Mar 9, 2013 at 11:57 AM, Tilman Schmidt
> <t.schmidt at phoenixsoftware.de> wrote:
>>
>> Mar  3 04:44:48 gimli sshd[12870]: reverse mapping checking getaddrinfo
>> for hn.ly.kd.adsl failed - POSSIBLE BREAK-IN ATTEMPT!
>> Mar  3 04:44:49 gimli sshd[12871]: Received disconnect from
>> 61.163.113.72: 11: Bye Bye
>>
>> If I set "UseDNS no" the first message disappears and only the second
>> one remains.
>>
>> So it seems there is no way to identify password bruteforcing attempts
>> on servers which don't accept password authentication in the first
>> place.
> 
> Can't you pick some reasonable number of 'received disconnect'
> messages to allow from a single IP?

Yes, I think that should work. I was worried that "received disconnect"
messages might also appear for legitimate connections, but looking
through my logs it seems that they don't.

I have set it up as a test on one of my servers with a threshold of 15
attempts in 1000 secs now to see how it will fare.

Thanks,
Tilman

-- 
Tilman Schmidt
Phoenix Software GmbH
Bonn, Germany

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20130310/bed37447/attachment-0005.sig>