Rainer Traut wrote:
Am 04.04.2011 12:34, schrieb Marian Marinov:
How is it possible for an attacker to try to logon more then 4 times? Can the attacker do this with only one TCP/IP connection without establishing a new one? Or have the scripts been adapted to this?
The attackers are not trying constantly.. Just a few bursts of trys.
Look at denyhosts ( http://denyhosts.sourceforge.net/ ). I also have a tool for protecting from brute force attacks called Hawk ( https://github.com/hackman/Hawk-IDS-IPS ).
Ok, thanks to both of you, it seems the scripts getting better and better. Will change my iptables rule to keep the blacklist for longer.
May I highly commend to your attention fail2ban? We use it, and it works very well. Default is 3 from an IP, 5 for ssh, and it's banned for a configurable amount of time - default is 2 hours. And you can add additional filters.
mark