[CentOS] sshd: Authentication Failures: 137 Time(s)

Mon Apr 4 14:41:37 UTC 2011
Tom Yates <madhatter at teaparty.net>

On 04/04/11 11:18, Rainer Traut wrote:

> to prevent scripted dictionary attacks to sshd
> I applied those iptables rules:
> 
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent 
> --update --seconds 60 --hitcount 4 --name SSH --rsource -j DROP
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent --set 
> --name SSH --rsource
> 
> And this is part of logwatch:
> 
> sshd:
>      Authentication Failures:
>         unknown (www.telkom.co.ke): 137 Time(s)
>         unknown (mkongwe.jambo.co.ke): 130 Time(s)
>         unknown (212.49.70.24): 107 Time(s)
>         root (195.191.250.101): 8 Time(s)
> 
> How is it possible for an attacker to try to logon more then 4 times? 
> Can the attacker do this with only one TCP/IP connection without 
> establishing a new one? Or have the scripts been adapted to this?

i see similar results on some of my servers, eg:

% grep 'a\.bad\.ip\.address' authpriv|grep 'authentication failure'|awk '{print $3}'|less
15:47:44
15:49:34
15:49:46
15:51:32
15:53:17
15:53:30
15:55:14
15:56:59
15:58:44
16:00:34
16:02:19
16:02:31
16:04:17
[...]

so i can see that yes, at least some automated scripts have been adapted 
to back off in an attempt not to trip my iptables rules.  you can do a 
similar grep to see the times of your attempts, and that will tell you if 
they're running a softly-softly script, or if instead they have found a 
way to test many passwords without tripping the iptables rule.

On Mon, 4 Apr 2011, David Sommerseth wrote:

> This is just a hunch, but --seconds 60 indicates that it will only look
> back one minute to check if it could find a hit.  So if the attacker tries
> to connect again after 2 minutes or even 61 seconds, it won't trigger this
> rule.  Try increasing this value to 3600 (1 hour).  Maybe you want even longer.

i occasionally trip my iptables rule myself, for example if i scp a couple 
of files off a server and then go back for a third; i feel it would be a 
shame to lock myself out for an hour, by doing that.

the way i see it is that, even in the limiting case where an attacker can 
try two passwords every minute, she will be limited to just under 3,000 
attempts a day, and that's not very many when you're trying to brute-force 
decent passwords.  given that most of those are attempts to guess root's 
password, and i have "PermitRootLogin no" in sshd_config, the tiny 
additional load caused by an attempt every 30 seconds is something i can 
live with in exchange for not locking myself out for too long.

how long you set your lockout for is a call you must make for your 
server(s); i just wanted you to have more points of view about what people 
are doing out there in the wild.


-- 

   Tom Yates  -  http://www.teaparty.net