[ale] 300,000 failed login attempts in 6 months!!!
A.D.Wilson
awilson at smartfurniture.com
Mon Aug 18 13:04:56 EDT 2008
Maybe fail2ban?
-----Original Message-----
From: Greg Freemyer <greg.freemyer at gmail.com>
Sent: Monday, August 18, 2008 12:35 PM
To: Atlanta Linux Enthusiasts <ale at ale.org>
Subject: [ale] 300,000 failed login attempts in 6 months!!!
All,
Is there a way to only allow one ksh attempt per IP per timeframe.
And after X attempts to block it for an hour or so?
===> Details
I run our webserver on a virtual slice we rent from a hosting company.
Nothing very proprietary on it. In the last 60 seconds I'm getting a
lot of failed ksh attempts from just a couple of IPs.
Taking a look at /var/log/message I'm getting a surprising amount of
login attempts.:
bash-3.00# grep "check pass; user unknown" messages | head
Feb 2 15:13:05 norcross sshd(pam_unix)[1861]: check pass; user unknown
Feb 2 15:13:18 norcross sshd(pam_unix)[1867]: check pass; user unknown
Feb 2 15:13:21 norcross sshd(pam_unix)[1869]: check pass; user unknown
Feb 3 01:01:49 norcross sshd(pam_unix)[9183]: check pass; user unknown
Feb 3 01:01:58 norcross sshd(pam_unix)[9185]: check pass; user unknown
Feb 3 01:02:07 norcross sshd(pam_unix)[9187]: check pass; user unknown
Feb 3 01:02:18 norcross sshd(pam_unix)[9189]: check pass; user unknown
Feb 3 09:26:40 norcross sshd(pam_unix)[9260]: check pass; user unknown
Feb 3 09:26:44 norcross sshd(pam_unix)[9262]: check pass; user unknown
Feb 3 09:26:47 norcross sshd(pam_unix)[9264]: check pass; user unknown
So it looks like I setup this server in Feb 2008 and I likely typed in
the user name wrong a few times.
Lets see how often in the last 6 months:
bash-3.00# grep "check pass; user unknown" messages | wc -l
363748
I must say I'm surprised to see that. I did not realize I could type
that fast. :-(
Is every hacker in the world trying to break in my little virtual server!!
I don't want to restrict access to private/public key authentication,
but other than continueing to use strong passwords, is there something
else I should be doing to slow down the onslaught.
Greg
--
Greg Freemyer
Litigation Triage Solutions Specialist
http://www.linkedin.com/in/gregfreemyer
First 99 Days Litigation White Paper -
http://www.norcrossgroup.com/forms/whitepapers/99%20Days%20whitepaper.pdf
The Norcross Group
The Intersection of Evidence & Technology
http://www.norcrossgroup.com
_______________________________________________
Ale mailing list
Ale at ale.org
http://mail.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list