Am 10.03.2013 03:01, schrieb Les Mikesell:
On Sat, Mar 9, 2013 at 11:57 AM, Tilman Schmidt t.schmidt@phoenixsoftware.de wrote:
Mar 3 04:44:48 gimli sshd[12870]: reverse mapping checking getaddrinfo for hn.ly.kd.adsl failed - POSSIBLE BREAK-IN ATTEMPT! Mar 3 04:44:49 gimli sshd[12871]: Received disconnect from 61.163.113.72: 11: Bye Bye
If I set "UseDNS no" the first message disappears and only the second one remains.
So it seems there is no way to identify password bruteforcing attempts on servers which don't accept password authentication in the first place.
Can't you pick some reasonable number of 'received disconnect' messages to allow from a single IP?
Yes, I think that should work. I was worried that "received disconnect" messages might also appear for legitimate connections, but looking through my logs it seems that they don't.
I have set it up as a test on one of my servers with a threshold of 15 attempts in 1000 secs now to see how it will fare.
Thanks, Tilman