Am Montag, den 04.04.2011, 15:07 +0200 schrieb Rainer Traut: > Am 04.04.2011 12:34, schrieb Marian Marinov: > >> How is it possible for an attacker to try to logon more then 4 times? > >> Can the attacker do this with only one TCP/IP connection without > >> establishing a new one? > >> Or have the scripts been adapted to this? > > > > The attackers are not trying constantly.. Just a few bursts of trys. > > > > Look at denyhosts ( http://denyhosts.sourceforge.net/ ). > > I also have a tool for protecting from brute force attacks called Hawk ( > > https://github.com/hackman/Hawk-IDS-IPS ). > > Ok, thanks to both of you, it seems the scripts getting better and better. > Will change my iptables rule to keep the blacklist for longer. > > Thx > Rainer Also check MaxAuthTries in /etc/ssh/sshd_config Specifies the maximum number of authentication attempts permitted per connection. Henry