[ale] 300,000 failed login attempts in 6 months!!!

A.D.Wilson awilson at smartfurniture.com
Mon Aug 18 13:04:56 EDT 2008


Maybe fail2ban?

-----Original Message-----
From: Greg Freemyer <greg.freemyer at gmail.com>
Sent: Monday, August 18, 2008 12:35 PM
To: Atlanta Linux Enthusiasts <ale at ale.org>
Subject: [ale] 300,000 failed login attempts in 6 months!!!

All,

Is there a way to only allow one ksh attempt per IP per timeframe.
And after X attempts to block it for an hour or so?

===> Details

I run our webserver on a virtual slice we rent from a hosting company.
 Nothing very proprietary on it.  In the last 60 seconds I'm getting a
lot of failed ksh attempts from just a couple of IPs.

Taking a look at /var/log/message I'm getting a surprising amount of
login attempts.:

bash-3.00# grep "check pass; user unknown" messages | head
Feb  2 15:13:05 norcross sshd(pam_unix)[1861]: check pass; user unknown
Feb  2 15:13:18 norcross sshd(pam_unix)[1867]: check pass; user unknown
Feb  2 15:13:21 norcross sshd(pam_unix)[1869]: check pass; user unknown
Feb  3 01:01:49 norcross sshd(pam_unix)[9183]: check pass; user unknown
Feb  3 01:01:58 norcross sshd(pam_unix)[9185]: check pass; user unknown
Feb  3 01:02:07 norcross sshd(pam_unix)[9187]: check pass; user unknown
Feb  3 01:02:18 norcross sshd(pam_unix)[9189]: check pass; user unknown
Feb  3 09:26:40 norcross sshd(pam_unix)[9260]: check pass; user unknown
Feb  3 09:26:44 norcross sshd(pam_unix)[9262]: check pass; user unknown
Feb  3 09:26:47 norcross sshd(pam_unix)[9264]: check pass; user unknown

So it looks like I setup this server in Feb 2008 and I likely typed in
the user name wrong a few times.

Lets see how often in the last 6 months:

bash-3.00# grep "check pass; user unknown" messages | wc -l
363748

I must say I'm surprised to see that.  I did not realize I could type
that fast. :-(

Is every hacker in the world trying to break in my little virtual server!!

I don't want to restrict access to private/public key authentication,
but other than continueing to use strong passwords, is there something
else I should be doing to slow down the onslaught.

Greg
-- 
Greg Freemyer
Litigation Triage Solutions Specialist
http://www.linkedin.com/in/gregfreemyer
First 99 Days Litigation White Paper -
http://www.norcrossgroup.com/forms/whitepapers/99%20Days%20whitepaper.pdf

The Norcross Group
The Intersection of Evidence & Technology
http://www.norcrossgroup.com
_______________________________________________
Ale mailing list
Ale at ale.org
http://mail.ale.org/mailman/listinfo/ale




More information about the Ale mailing list