You could also try using tcpwrappers along with iptables. On 04/04/2011 06:34 AM, Marian Marinov wrote: > On Monday 04 April 2011 12:18:43 Rainer Traut wrote: >> Hi, >> >> to prevent scripted dictionary attacks to sshd >> I applied those iptables rules: >> >> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent >> --update --seconds 60 --hitcount 4 --name SSH --rsource -j DROP >> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent --set >> --name SSH --rsource >> >> And this is part of logwatch: >> >> sshd: >> Authentication Failures: >> unknown (www.telkom.co.ke): 137 Time(s) >> unknown (mkongwe.jambo.co.ke): 130 Time(s) >> unknown (212.49.70.24): 107 Time(s) >> root (195.191.250.101): 8 Time(s) >> >> How is it possible for an attacker to try to logon more then 4 times? >> Can the attacker do this with only one TCP/IP connection without >> establishing a new one? >> Or have the scripts been adapted to this? > > The attackers are not trying constantly.. Just a few bursts of trys. > > Look at denyhosts ( http://denyhosts.sourceforge.net/ ). > I also have a tool for protecting from brute force attacks called Hawk ( > https://github.com/hackman/Hawk-IDS-IPS ). > > Marian >> >> Thx >> Rainer >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> http://lists.centos.org/mailman/listinfo/centos > > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos