[CentOS] sshd: Authentication Failures: 137 Time(s)

Mon Apr 4 14:21:36 UTC 2011
henry ritzlmayr <centos at rc0.at>

Am Montag, den 04.04.2011, 16:04 +0200 schrieb David Sommerseth:
> On 04/04/11 15:35, henry ritzlmayr wrote:
> > Am Montag, den 04.04.2011, 15:07 +0200 schrieb Rainer Traut:
> >> Am 04.04.2011 12:34, schrieb Marian Marinov:
> >>>> How is it possible for an attacker to try to logon more then 4 times?
> >>>> Can the attacker do this with only one TCP/IP connection without
> >>>> establishing a new one?
> >>>> Or have the scripts been adapted to this?
> >>>
> >>> The attackers are not trying constantly.. Just a few bursts of trys.
> >>>
> >>> Look at denyhosts ( http://denyhosts.sourceforge.net/ ).
> >>> I also have a tool for protecting from brute force attacks called Hawk (
> >>> https://github.com/hackman/Hawk-IDS-IPS ).
> >>
> >> Ok, thanks to both of you, it seems the scripts getting better and better.
> >> Will change my iptables rule to keep the blacklist for longer.
> >>
> >> Thx
> >> Rainer
> > 
> > Also check MaxAuthTries in /etc/ssh/sshd_config
> > 
> > Specifies the maximum number of authentication attempts permitted per
> > connection.
> 
> That won't do too much.  It only tells the ssh server how many attempts to
> accept before closing the TCP connection.  The attacker can still just
> re-connect and try again, which is what usually happens during these
> attempts.  Of course, setting MaxAuthTries to 1, will slow the attacker a
> little bit down, as it needs to re-establish the SSH connection again.

Right, but with setting MaxAuthTries to 1, the iptables rule specified
by the OP jumps in much earlier. 

> Moving over to disallowing password authentication and only use pubkey with
> ~/.ssh/authorized_keys is probably going to do a better job securing the
> server.
> 
> 
> kind regards,
> 
> David Sommerseth

Henry

> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos