[CentOS] sshd: Authentication Failures: 137 Time(s)

Mon Apr 4 09:59:37 UTC 2011
David Sommerseth <dazo at users.sourceforge.net>

On 04/04/11 11:18, Rainer Traut wrote:
> Hi,
> to prevent scripted dictionary attacks to sshd
> I applied those iptables rules:
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent 
> --update --seconds 60 --hitcount 4 --name SSH --rsource -j DROP
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent --set 
> --name SSH --rsource
> And this is part of logwatch:
> sshd:
>      Authentication Failures:
>         unknown (www.telkom.co.ke): 137 Time(s)
>         unknown (mkongwe.jambo.co.ke): 130 Time(s)
>         unknown ( 107 Time(s)
>         root ( 8 Time(s)
> How is it possible for an attacker to try to logon more then 4 times?
> Can the attacker do this with only one TCP/IP connection without 
> establishing a new one?
> Or have the scripts been adapted to this?

This is just a hunch, but --seconds 60 indicates that it will only look
back one minute to check if it could find a hit.  So if the attacker tries
to connect again after 2 minutes or even 61 seconds, it won't trigger this
rule.  Try increasing this value to 3600 (1 hour).  Maybe you want even longer.

kind regards,

David Sommerseth