[CentOS] sshd: Authentication Failures: 137 Time(s)

Mon Apr 4 15:36:16 UTC 2011
m.roth at 5-cent.us <m.roth at 5-cent.us>

Rainer Traut wrote:
> Am 04.04.2011 12:34, schrieb Marian Marinov:
>>> How is it possible for an attacker to try to logon more then 4 times?
>>> Can the attacker do this with only one TCP/IP connection without
>>> establishing a new one?
>>> Or have the scripts been adapted to this?
>>
>> The attackers are not trying constantly.. Just a few bursts of trys.
>>
>> Look at denyhosts ( http://denyhosts.sourceforge.net/ ).
>> I also have a tool for protecting from brute force attacks called Hawk (
>> https://github.com/hackman/Hawk-IDS-IPS ).
>
> Ok, thanks to both of you, it seems the scripts getting better and better.
> Will change my iptables rule to keep the blacklist for longer.

May I highly commend to your attention fail2ban? We use it, and it works
very well. Default is 3 from an IP, 5 for ssh, and it's banned for a
configurable amount of time - default is 2 hours. And you can add
additional filters.

         mark