[ale] 300,000 failed login attempts in 6 months!!!

Mon Aug 18 13:54:56 EDT 2008

It added just over 1000 IPs to the hosts.deny list.

Seems like a lot to me, but what do I know.

Greg

On Mon, Aug 18, 2008 at 1:39 PM, Greg Freemyer <greg.freemyer at gmail.com> wrote:
> I'm going the denyhosts route.
>
> This is a CentOS server and it is in the default yum repository.  (A
> couple versions old (2.4), but it should be fine.)
>
> Greg
>
> 2008/8/18 Stephen Benjamin <skbenja at gmail.com>:
>> Hey Greg,
>>
>> I use DenyHosts: denyhosts.sourceforge.net
>>
>> Configurable to add users to /etc/hosts.deny after X number of failed
>> attempts.  Also can autoblock faster on unknown users and attempted root
>> logins.
>>
>> It works pretty well.
>>
>>
>> - Steve
>>
>> On Mon, Aug 18, 2008 at 12:35 PM, Greg Freemyer <greg.freemyer at gmail.com>
>> wrote:
>>>
>>> All,
>>>
>>> Is there a way to only allow one ksh attempt per IP per timeframe.
>>> And after X attempts to block it for an hour or so?
>>>
>>> ===> Details
>>>
>>> I run our webserver on a virtual slice we rent from a hosting company.
>>>  Nothing very proprietary on it.  In the last 60 seconds I'm getting a
>>> lot of failed ksh attempts from just a couple of IPs.
>>>
>>> Taking a look at /var/log/message I'm getting a surprising amount of
>>> login attempts.:
>>>
>>> bash-3.00# grep "check pass; user unknown" messages | head
>>> Feb  2 15:13:05 norcross sshd(pam_unix)[1861]: check pass; user unknown
>>> Feb  2 15:13:18 norcross sshd(pam_unix)[1867]: check pass; user unknown
>>> Feb  2 15:13:21 norcross sshd(pam_unix)[1869]: check pass; user unknown
>>> Feb  3 01:01:49 norcross sshd(pam_unix)[9183]: check pass; user unknown
>>> Feb  3 01:01:58 norcross sshd(pam_unix)[9185]: check pass; user unknown
>>> Feb  3 01:02:07 norcross sshd(pam_unix)[9187]: check pass; user unknown
>>> Feb  3 01:02:18 norcross sshd(pam_unix)[9189]: check pass; user unknown
>>> Feb  3 09:26:40 norcross sshd(pam_unix)[9260]: check pass; user unknown
>>> Feb  3 09:26:44 norcross sshd(pam_unix)[9262]: check pass; user unknown
>>> Feb  3 09:26:47 norcross sshd(pam_unix)[9264]: check pass; user unknown
>>>
>>> So it looks like I setup this server in Feb 2008 and I likely typed in
>>> the user name wrong a few times.
>>>
>>> Lets see how often in the last 6 months:
>>>
>>> bash-3.00# grep "check pass; user unknown" messages | wc -l
>>> 363748
>>>
>>> I must say I'm surprised to see that.  I did not realize I could type
>>> that fast. :-(
>>>
>>> Is every hacker in the world trying to break in my little virtual server!!
>>>
>>> I don't want to restrict access to private/public key authentication,
>>> but other than continueing to use strong passwords, is there something
>>> else I should be doing to slow down the onslaught.
>>>
>>> Greg
>>> --
>>> Greg Freemyer
>>> Litigation Triage Solutions Specialist
>>> http://www.linkedin.com/in/gregfreemyer
>>> First 99 Days Litigation White Paper -
>>> http://www.norcrossgroup.com/forms/whitepapers/99%20Days%20whitepaper.pdf
>>>
>>> The Norcross Group
>>> The Intersection of Evidence & Technology
>>> http://www.norcrossgroup.com
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://mail.ale.org/mailman/listinfo/ale
>>
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>>
>>
>
>
>
> --
> Greg Freemyer
> Litigation Triage Solutions Specialist
> http://www.linkedin.com/in/gregfreemyer
> First 99 Days Litigation White Paper -
> http://www.norcrossgroup.com/forms/whitepapers/99%20Days%20whitepaper.pdf
>
> The Norcross Group
> The Intersection of Evidence & Technology
> http://www.norcrossgroup.com
>

-- 
Greg Freemyer
Litigation Triage Solutions Specialist
http://www.linkedin.com/in/gregfreemyer
First 99 Days Litigation White Paper -
http://www.norcrossgroup.com/forms/whitepapers/99%20Days%20whitepaper.pdf

The Norcross Group
The Intersection of Evidence & Technology
http://www.norcrossgroup.com