[ale] 300,000 failed login attempts in 6 months!!!
Jim Lynch
ale_nospam at fayettedigital.com
Mon Aug 18 12:46:01 EDT 2008
Greg Freemyer wrote:
> All,
>
> Is there a way to only allow one ksh attempt per IP per timeframe.
> And after X attempts to block it for an hour or so?
>
> ===> Details
>
> I run our webserver on a virtual slice we rent from a hosting company.
> Nothing very proprietary on it. In the last 60 seconds I'm getting a
> lot of failed ksh attempts from just a couple of IPs.
>
> Taking a look at /var/log/message I'm getting a surprising amount of
> login attempts.:
>
> bash-3.00# grep "check pass; user unknown" messages | head
> Feb 2 15:13:05 norcross sshd(pam_unix)[1861]: check pass; user unknown
> Feb 2 15:13:18 norcross sshd(pam_unix)[1867]: check pass; user unknown
> Feb 2 15:13:21 norcross sshd(pam_unix)[1869]: check pass; user unknown
> Feb 3 01:01:49 norcross sshd(pam_unix)[9183]: check pass; user unknown
> Feb 3 01:01:58 norcross sshd(pam_unix)[9185]: check pass; user unknown
> Feb 3 01:02:07 norcross sshd(pam_unix)[9187]: check pass; user unknown
> Feb 3 01:02:18 norcross sshd(pam_unix)[9189]: check pass; user unknown
> Feb 3 09:26:40 norcross sshd(pam_unix)[9260]: check pass; user unknown
> Feb 3 09:26:44 norcross sshd(pam_unix)[9262]: check pass; user unknown
> Feb 3 09:26:47 norcross sshd(pam_unix)[9264]: check pass; user unknown
>
> So it looks like I setup this server in Feb 2008 and I likely typed in
> the user name wrong a few times.
>
> Lets see how often in the last 6 months:
>
> bash-3.00# grep "check pass; user unknown" messages | wc -l
> 363748
>
> I must say I'm surprised to see that. I did not realize I could type
> that fast. :-(
>
> Is every hacker in the world trying to break in my little virtual server!!
>
> I don't want to restrict access to private/public key authentication,
> but other than continueing to use strong passwords, is there something
> else I should be doing to slow down the onslaught.
>
> Greg
>
1. change the sshd port.
2. I had good luck with a package called denyhosts. It's configurable
but out of the box it will let a use try a few times and then adds their
IP address to hostsdeny.
Jim.
More information about the Ale
mailing list