Am 10.03.2013 03:01, schrieb Les Mikesell: > On Sat, Mar 9, 2013 at 11:57 AM, Tilman Schmidt > <t.schmidt at phoenixsoftware.de> wrote: >> >> Mar 3 04:44:48 gimli sshd[12870]: reverse mapping checking getaddrinfo >> for hn.ly.kd.adsl failed - POSSIBLE BREAK-IN ATTEMPT! >> Mar 3 04:44:49 gimli sshd[12871]: Received disconnect from >> 61.163.113.72: 11: Bye Bye >> >> If I set "UseDNS no" the first message disappears and only the second >> one remains. >> >> So it seems there is no way to identify password bruteforcing attempts >> on servers which don't accept password authentication in the first >> place. > > Can't you pick some reasonable number of 'received disconnect' > messages to allow from a single IP? Yes, I think that should work. I was worried that "received disconnect" messages might also appear for legitimate connections, but looking through my logs it seems that they don't. I have set it up as a test on one of my servers with a threshold of 15 attempts in 1000 secs now to see how it will fare. Thanks, Tilman -- Tilman Schmidt Phoenix Software GmbH Bonn, Germany -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20130310/bed37447/attachment-0005.sig>