Am Montag, den 04.04.2011, 16:04 +0200 schrieb David Sommerseth: > On 04/04/11 15:35, henry ritzlmayr wrote: > > Am Montag, den 04.04.2011, 15:07 +0200 schrieb Rainer Traut: > >> Am 04.04.2011 12:34, schrieb Marian Marinov: > >>>> How is it possible for an attacker to try to logon more then 4 times? > >>>> Can the attacker do this with only one TCP/IP connection without > >>>> establishing a new one? > >>>> Or have the scripts been adapted to this? > >>> > >>> The attackers are not trying constantly.. Just a few bursts of trys. > >>> > >>> Look at denyhosts ( http://denyhosts.sourceforge.net/ ). > >>> I also have a tool for protecting from brute force attacks called Hawk ( > >>> https://github.com/hackman/Hawk-IDS-IPS ). > >> > >> Ok, thanks to both of you, it seems the scripts getting better and better. > >> Will change my iptables rule to keep the blacklist for longer. > >> > >> Thx > >> Rainer > > > > Also check MaxAuthTries in /etc/ssh/sshd_config > > > > Specifies the maximum number of authentication attempts permitted per > > connection. > > That won't do too much. It only tells the ssh server how many attempts to > accept before closing the TCP connection. The attacker can still just > re-connect and try again, which is what usually happens during these > attempts. Of course, setting MaxAuthTries to 1, will slow the attacker a > little bit down, as it needs to re-establish the SSH connection again. Right, but with setting MaxAuthTries to 1, the iptables rule specified by the OP jumps in much earlier. > Moving over to disallowing password authentication and only use pubkey with > ~/.ssh/authorized_keys is probably going to do a better job securing the > server. > > > kind regards, > > David Sommerseth Henry > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos