Am Montag, den 04.04.2011, 16:04 +0200 schrieb David Sommerseth:
On 04/04/11 15:35, henry ritzlmayr wrote:
Am Montag, den 04.04.2011, 15:07 +0200 schrieb Rainer Traut:
Am 04.04.2011 12:34, schrieb Marian Marinov:
How is it possible for an attacker to try to logon more then 4 times? Can the attacker do this with only one TCP/IP connection without establishing a new one? Or have the scripts been adapted to this?
The attackers are not trying constantly.. Just a few bursts of trys.
Look at denyhosts ( http://denyhosts.sourceforge.net/ ). I also have a tool for protecting from brute force attacks called Hawk ( https://github.com/hackman/Hawk-IDS-IPS ).
Ok, thanks to both of you, it seems the scripts getting better and better. Will change my iptables rule to keep the blacklist for longer.
Thx Rainer
Also check MaxAuthTries in /etc/ssh/sshd_config
Specifies the maximum number of authentication attempts permitted per connection.
That won't do too much. It only tells the ssh server how many attempts to accept before closing the TCP connection. The attacker can still just re-connect and try again, which is what usually happens during these attempts. Of course, setting MaxAuthTries to 1, will slow the attacker a little bit down, as it needs to re-establish the SSH connection again.
Right, but with setting MaxAuthTries to 1, the iptables rule specified by the OP jumps in much earlier.
Moving over to disallowing password authentication and only use pubkey with ~/.ssh/authorized_keys is probably going to do a better job securing the server.
kind regards,
David Sommerseth
Henry
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos