On 04/04/11 11:18, Rainer Traut wrote: > to prevent scripted dictionary attacks to sshd > I applied those iptables rules: > > -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent > --update --seconds 60 --hitcount 4 --name SSH --rsource -j DROP > -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent --set > --name SSH --rsource > > And this is part of logwatch: > > sshd: > Authentication Failures: > unknown (www.telkom.co.ke): 137 Time(s) > unknown (mkongwe.jambo.co.ke): 130 Time(s) > unknown (212.49.70.24): 107 Time(s) > root (195.191.250.101): 8 Time(s) > > How is it possible for an attacker to try to logon more then 4 times? > Can the attacker do this with only one TCP/IP connection without > establishing a new one? Or have the scripts been adapted to this? i see similar results on some of my servers, eg: % grep 'a\.bad\.ip\.address' authpriv|grep 'authentication failure'|awk '{print $3}'|less 15:47:44 15:49:34 15:49:46 15:51:32 15:53:17 15:53:30 15:55:14 15:56:59 15:58:44 16:00:34 16:02:19 16:02:31 16:04:17 [...] so i can see that yes, at least some automated scripts have been adapted to back off in an attempt not to trip my iptables rules. you can do a similar grep to see the times of your attempts, and that will tell you if they're running a softly-softly script, or if instead they have found a way to test many passwords without tripping the iptables rule. On Mon, 4 Apr 2011, David Sommerseth wrote: > This is just a hunch, but --seconds 60 indicates that it will only look > back one minute to check if it could find a hit. So if the attacker tries > to connect again after 2 minutes or even 61 seconds, it won't trigger this > rule. Try increasing this value to 3600 (1 hour). Maybe you want even longer. i occasionally trip my iptables rule myself, for example if i scp a couple of files off a server and then go back for a third; i feel it would be a shame to lock myself out for an hour, by doing that. the way i see it is that, even in the limiting case where an attacker can try two passwords every minute, she will be limited to just under 3,000 attempts a day, and that's not very many when you're trying to brute-force decent passwords. given that most of those are attempts to guess root's password, and i have "PermitRootLogin no" in sshd_config, the tiny additional load caused by an attempt every 30 seconds is something i can live with in exchange for not locking myself out for too long. how long you set your lockout for is a call you must make for your server(s); i just wanted you to have more points of view about what people are doing out there in the wild. -- Tom Yates - http://www.teaparty.net