[CentOS] sshd: Authentication Failures: 137 Time(s)

David Sommerseth dazo at users.sourceforge.net
Mon Apr 4 09:59:37 UTC 2011


On 04/04/11 11:18, Rainer Traut wrote:
> Hi,
> 
> to prevent scripted dictionary attacks to sshd
> I applied those iptables rules:
> 
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent 
> --update --seconds 60 --hitcount 4 --name SSH --rsource -j DROP
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent --set 
> --name SSH --rsource
> 
> And this is part of logwatch:
> 
> sshd:
>      Authentication Failures:
>         unknown (www.telkom.co.ke): 137 Time(s)
>         unknown (mkongwe.jambo.co.ke): 130 Time(s)
>         unknown (212.49.70.24): 107 Time(s)
>         root (195.191.250.101): 8 Time(s)
> 
> How is it possible for an attacker to try to logon more then 4 times?
> Can the attacker do this with only one TCP/IP connection without 
> establishing a new one?
> Or have the scripts been adapted to this?

This is just a hunch, but --seconds 60 indicates that it will only look
back one minute to check if it could find a hit.  So if the attacker tries
to connect again after 2 minutes or even 61 seconds, it won't trigger this
rule.  Try increasing this value to 3600 (1 hour).  Maybe you want even longer.


kind regards,

David Sommerseth




More information about the CentOS mailing list