[ale] 300,000 failed login attempts in 6 months!!!

Greg Freemyer greg.freemyer at gmail.com
Mon Aug 18 13:39:49 EDT 2008


I'm going the denyhosts route.

This is a CentOS server and it is in the default yum repository.  (A
couple versions old (2.4), but it should be fine.)

Greg

2008/8/18 Stephen Benjamin <skbenja at gmail.com>:
> Hey Greg,
>
> I use DenyHosts: denyhosts.sourceforge.net
>
> Configurable to add users to /etc/hosts.deny after X number of failed
> attempts.  Also can autoblock faster on unknown users and attempted root
> logins.
>
> It works pretty well.
>
>
> - Steve
>
> On Mon, Aug 18, 2008 at 12:35 PM, Greg Freemyer <greg.freemyer at gmail.com>
> wrote:
>>
>> All,
>>
>> Is there a way to only allow one ksh attempt per IP per timeframe.
>> And after X attempts to block it for an hour or so?
>>
>> ===> Details
>>
>> I run our webserver on a virtual slice we rent from a hosting company.
>>  Nothing very proprietary on it.  In the last 60 seconds I'm getting a
>> lot of failed ksh attempts from just a couple of IPs.
>>
>> Taking a look at /var/log/message I'm getting a surprising amount of
>> login attempts.:
>>
>> bash-3.00# grep "check pass; user unknown" messages | head
>> Feb  2 15:13:05 norcross sshd(pam_unix)[1861]: check pass; user unknown
>> Feb  2 15:13:18 norcross sshd(pam_unix)[1867]: check pass; user unknown
>> Feb  2 15:13:21 norcross sshd(pam_unix)[1869]: check pass; user unknown
>> Feb  3 01:01:49 norcross sshd(pam_unix)[9183]: check pass; user unknown
>> Feb  3 01:01:58 norcross sshd(pam_unix)[9185]: check pass; user unknown
>> Feb  3 01:02:07 norcross sshd(pam_unix)[9187]: check pass; user unknown
>> Feb  3 01:02:18 norcross sshd(pam_unix)[9189]: check pass; user unknown
>> Feb  3 09:26:40 norcross sshd(pam_unix)[9260]: check pass; user unknown
>> Feb  3 09:26:44 norcross sshd(pam_unix)[9262]: check pass; user unknown
>> Feb  3 09:26:47 norcross sshd(pam_unix)[9264]: check pass; user unknown
>>
>> So it looks like I setup this server in Feb 2008 and I likely typed in
>> the user name wrong a few times.
>>
>> Lets see how often in the last 6 months:
>>
>> bash-3.00# grep "check pass; user unknown" messages | wc -l
>> 363748
>>
>> I must say I'm surprised to see that.  I did not realize I could type
>> that fast. :-(
>>
>> Is every hacker in the world trying to break in my little virtual server!!
>>
>> I don't want to restrict access to private/public key authentication,
>> but other than continueing to use strong passwords, is there something
>> else I should be doing to slow down the onslaught.
>>
>> Greg
>> --
>> Greg Freemyer
>> Litigation Triage Solutions Specialist
>> http://www.linkedin.com/in/gregfreemyer
>> First 99 Days Litigation White Paper -
>> http://www.norcrossgroup.com/forms/whitepapers/99%20Days%20whitepaper.pdf
>>
>> The Norcross Group
>> The Intersection of Evidence & Technology
>> http://www.norcrossgroup.com
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>
>



-- 
Greg Freemyer
Litigation Triage Solutions Specialist
http://www.linkedin.com/in/gregfreemyer
First 99 Days Litigation White Paper -
http://www.norcrossgroup.com/forms/whitepapers/99%20Days%20whitepaper.pdf

The Norcross Group
The Intersection of Evidence & Technology
http://www.norcrossgroup.com


More information about the Ale mailing list