[ale] 300,000 failed login attempts in 6 months!!!

Stephen Benjamin skbenja at gmail.com
Mon Aug 18 12:43:22 EDT 2008


Hey Greg,

I use DenyHosts: denyhosts.sourceforge.net

Configurable to add users to /etc/hosts.deny after X number of failed
attempts.  Also can autoblock faster on unknown users and attempted root
logins.

It works pretty well.


- Steve

On Mon, Aug 18, 2008 at 12:35 PM, Greg Freemyer <greg.freemyer at gmail.com>wrote:

> All,
>
> Is there a way to only allow one ksh attempt per IP per timeframe.
> And after X attempts to block it for an hour or so?
>
> ===> Details
>
> I run our webserver on a virtual slice we rent from a hosting company.
>  Nothing very proprietary on it.  In the last 60 seconds I'm getting a
> lot of failed ksh attempts from just a couple of IPs.
>
> Taking a look at /var/log/message I'm getting a surprising amount of
> login attempts.:
>
> bash-3.00# grep "check pass; user unknown" messages | head
> Feb  2 15:13:05 norcross sshd(pam_unix)[1861]: check pass; user unknown
> Feb  2 15:13:18 norcross sshd(pam_unix)[1867]: check pass; user unknown
> Feb  2 15:13:21 norcross sshd(pam_unix)[1869]: check pass; user unknown
> Feb  3 01:01:49 norcross sshd(pam_unix)[9183]: check pass; user unknown
> Feb  3 01:01:58 norcross sshd(pam_unix)[9185]: check pass; user unknown
> Feb  3 01:02:07 norcross sshd(pam_unix)[9187]: check pass; user unknown
> Feb  3 01:02:18 norcross sshd(pam_unix)[9189]: check pass; user unknown
> Feb  3 09:26:40 norcross sshd(pam_unix)[9260]: check pass; user unknown
> Feb  3 09:26:44 norcross sshd(pam_unix)[9262]: check pass; user unknown
> Feb  3 09:26:47 norcross sshd(pam_unix)[9264]: check pass; user unknown
>
> So it looks like I setup this server in Feb 2008 and I likely typed in
> the user name wrong a few times.
>
> Lets see how often in the last 6 months:
>
> bash-3.00# grep "check pass; user unknown" messages | wc -l
> 363748
>
> I must say I'm surprised to see that.  I did not realize I could type
> that fast. :-(
>
> Is every hacker in the world trying to break in my little virtual server!!
>
> I don't want to restrict access to private/public key authentication,
> but other than continueing to use strong passwords, is there something
> else I should be doing to slow down the onslaught.
>
> Greg
> --
> Greg Freemyer
> Litigation Triage Solutions Specialist
> http://www.linkedin.com/in/gregfreemyer
> First 99 Days Litigation White Paper -
> http://www.norcrossgroup.com/forms/whitepapers/99%20Days%20whitepaper.pdf
>
> The Norcross Group
> The Intersection of Evidence & Technology
> http://www.norcrossgroup.com
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20080818/f4b6db97/attachment.html 


More information about the Ale mailing list