[ale] 300,000 failed login attempts in 6 months!!!

Jeff Woods jeff.woods at choicepoint.com
Mon Aug 18 13:30:49 EDT 2008


IPTables contains a feature which allows you to drop requests from a 
certain address after a certain number of connections (successful or 
otherwise!) per unit time.  For instance, to limit four ssh connections 
per minute per IP address:

-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent 
--update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set 
--name DEFAULT --rsource

After one minute, the a blocked host is allowed to connect again, but 
I've found that this is often enough to convince folks to waste their 
time somewhere else.

Keep your end users in mind -- if you have ssh open to the Internet, 
someone must be using it.  If they forget their passwords, what's going 
to happen when they get blocked for an hour?

Greg Freemyer wrote:
> All,
>
> Is there a way to only allow one ksh attempt per IP per timeframe.
> And after X attempts to block it for an hour or so?
>
> ===> Details
>
> I run our webserver on a virtual slice we rent from a hosting company.
>  Nothing very proprietary on it.  In the last 60 seconds I'm getting a
> lot of failed ksh attempts from just a couple of IPs.
>
> Taking a look at /var/log/message I'm getting a surprising amount of
> login attempts.:
>
> bash-3.00# grep "check pass; user unknown" messages | head
> Feb  2 15:13:05 norcross sshd(pam_unix)[1861]: check pass; user unknown
> Feb  2 15:13:18 norcross sshd(pam_unix)[1867]: check pass; user unknown
> Feb  2 15:13:21 norcross sshd(pam_unix)[1869]: check pass; user unknown
> Feb  3 01:01:49 norcross sshd(pam_unix)[9183]: check pass; user unknown
> Feb  3 01:01:58 norcross sshd(pam_unix)[9185]: check pass; user unknown
> Feb  3 01:02:07 norcross sshd(pam_unix)[9187]: check pass; user unknown
> Feb  3 01:02:18 norcross sshd(pam_unix)[9189]: check pass; user unknown
> Feb  3 09:26:40 norcross sshd(pam_unix)[9260]: check pass; user unknown
> Feb  3 09:26:44 norcross sshd(pam_unix)[9262]: check pass; user unknown
> Feb  3 09:26:47 norcross sshd(pam_unix)[9264]: check pass; user unknown
>
> So it looks like I setup this server in Feb 2008 and I likely typed in
> the user name wrong a few times.
>
> Lets see how often in the last 6 months:
>
> bash-3.00# grep "check pass; user unknown" messages | wc -l
> 363748
>
> I must say I'm surprised to see that.  I did not realize I could type
> that fast. :-(
>
> Is every hacker in the world trying to break in my little virtual server!!
>
> I don't want to restrict access to private/public key authentication,
> but other than continueing to use strong passwords, is there something
> else I should be doing to slow down the onslaught.
>
> Greg
>   

-----------------------------------------
The information contained in this e-mail message is intended only
for the personal and confidential use of the recipient(s) named
above. This message may be an attorney-client communication and/or
work product and as such is privileged and confidential. If the
reader of this message is not the intended recipient or an agent
responsible for delivering it to the intended recipient, you are
hereby notified that you have received this document in error and
that any review, dissemination, distribution, or copying of this
message is strictly prohibited. If you have received this
communication in error, please notify us immediately by e-mail, and
delete the original message.


More information about the Ale mailing list