On Mon, 5 Jun 2006, Oliver Schmidt wrote:
> > Hi, > > > > today when I was checking the server log I got many external > > attempts to connect to my sshd service: > > > > ... > > Jun 5 05:09:45 embedded sshd[4740]: Invalid user barbara from x.y.w.z > > Jun 5 05:09:46 embedded sshd[4742]: Invalid user barb from x.y.w.z > > Jun 5 05:09:48 embedded sshd[4744]: Invalid user barbie from x.y.w.z > > Jun 5 05:09:50 embedded sshd[4746]: Invalid user barbra from x.y.w.z > > Jun 5 05:09:51 embedded sshd[4748]: Invalid user barman from x.y.w.z > > Jun 5 05:09:53 embedded sshd[4750]: Invalid user barney from x.y.w.z > > ... > > > > this seems to be a brute force attack, but one thing that worried me > > is why sshd didn't disconnect the remote host after 3 unsuccessful > > attemps? If we see in the log, there are many attemps with time > > interval between attemps of 2 or 3 seconds meaning that the sshd > > didn't disconnect the remote host after 3 attempts. > > So, first, Am I thinking correct about the sshd attempts? > > Second, how can I setup sshd or the entire system to permit just 2 or > > 3 attempts of authentication? I was checking the /etc/login.defs file > > and I see the following option: > > > > Try use Denyhosts ... no problem with bruteforce attacks anymore. Denyhosts > add the IP of the attacker to the /etc/hosts.deny file. > Install it with: > ACCEPT_KEYWORDS="~x86" emerge denyhosts > and add to your /etc/crontab > */10 * * * * root python /usr/bin/denyhosts -c /etc/denyhosts.conf > > Use it now for more then a year... its perfect to block bruteforce attacks. > > cheers > Oli > > > Agreed, DenyHosts works great, even sends me an email when it adds an address. DenyHosts can also be configured to watch ftp server logs. You don't need to run it from a cron script (though you certainly can), there is an init script created on install that works just fine too. -- gentoo-user@gentoo.org mailing list
