[ale] 300,000 failed login attempts in 6 months!!!

Stephen Benjamin skbenja at gmail.com
Mon Aug 18 14:02:51 EDT 2008 

Probably not since denyhosts parses logfiles from days or weeks prior when
you first run it.

Steve

On Mon, Aug 18, 2008 at 1:54 PM, Greg Freemyer <greg.freemyer at gmail.com>wrote:

> It added just over 1000 IPs to the hosts.deny list.
>
> Seems like a lot to me, but what do I know.
>
> Greg
>
> On Mon, Aug 18, 2008 at 1:39 PM, Greg Freemyer <greg.freemyer at gmail.com>
> wrote:
> > I'm going the denyhosts route.
> >
> > This is a CentOS server and it is in the default yum repository.  (A
> > couple versions old (2.4), but it should be fine.)
> >
> > Greg
> >
> > 2008/8/18 Stephen Benjamin <skbenja at gmail.com>:
> >> Hey Greg,
> >>
> >> I use DenyHosts: denyhosts.sourceforge.net
> >>
> >> Configurable to add users to /etc/hosts.deny after X number of failed
> >> attempts.  Also can autoblock faster on unknown users and attempted root
> >> logins.
> >>
> >> It works pretty well.
> >>
> >>
> >> - Steve
> >>
> >> On Mon, Aug 18, 2008 at 12:35 PM, Greg Freemyer <
> greg.freemyer at gmail.com>
> >> wrote:
> >>>
> >>> All,
> >>>
> >>> Is there a way to only allow one ksh attempt per IP per timeframe.
> >>> And after X attempts to block it for an hour or so?
> >>>
> >>> ===> Details
> >>>
> >>> I run our webserver on a virtual slice we rent from a hosting company.
> >>>  Nothing very proprietary on it.  In the last 60 seconds I'm getting a
> >>> lot of failed ksh attempts from just a couple of IPs.
> >>>
> >>> Taking a look at /var/log/message I'm getting a surprising amount of
> >>> login attempts.:
> >>>
> >>> bash-3.00# grep "check pass; user unknown" messages | head
> >>> Feb  2 15:13:05 norcross sshd(pam_unix)[1861]: check pass; user unknown
> >>> Feb  2 15:13:18 norcross sshd(pam_unix)[1867]: check pass; user unknown
> >>> Feb  2 15:13:21 norcross sshd(pam_unix)[1869]: check pass; user unknown
> >>> Feb  3 01:01:49 norcross sshd(pam_unix)[9183]: check pass; user unknown
> >>> Feb  3 01:01:58 norcross sshd(pam_unix)[9185]: check pass; user unknown
> >>> Feb  3 01:02:07 norcross sshd(pam_unix)[9187]: check pass; user unknown
> >>> Feb  3 01:02:18 norcross sshd(pam_unix)[9189]: check pass; user unknown
> >>> Feb  3 09:26:40 norcross sshd(pam_unix)[9260]: check pass; user unknown
> >>> Feb  3 09:26:44 norcross sshd(pam_unix)[9262]: check pass; user unknown
> >>> Feb  3 09:26:47 norcross sshd(pam_unix)[9264]: check pass; user unknown
> >>>
> >>> So it looks like I setup this server in Feb 2008 and I likely typed in
> >>> the user name wrong a few times.
> >>>
> >>> Lets see how often in the last 6 months:
> >>>
> >>> bash-3.00# grep "check pass; user unknown" messages | wc -l
> >>> 363748
> >>>
> >>> I must say I'm surprised to see that.  I did not realize I could type
> >>> that fast. :-(
> >>>
> >>> Is every hacker in the world trying to break in my little virtual
> server!!
> >>>
> >>> I don't want to restrict access to private/public key authentication,
> >>> but other than continueing to use strong passwords, is there something
> >>> else I should be doing to slow down the onslaught.
> >>>
> >>> Greg
> >>> --
> >>> Greg Freemyer
> >>> Litigation Triage Solutions Specialist
> >>> http://www.linkedin.com/in/gregfreemyer
> >>> First 99 Days Litigation White Paper -
> >>>
> http://www.norcrossgroup.com/forms/whitepapers/99%20Days%20whitepaper.pdf
> >>>
> >>> The Norcross Group
> >>> The Intersection of Evidence & Technology
> >>> http://www.norcrossgroup.com
> >>> _______________________________________________
> >>> Ale mailing list
> >>> Ale at ale.org
> >>> http://mail.ale.org/mailman/listinfo/ale
> >>
> >>
> >> _______________________________________________
> >> Ale mailing list
> >> Ale at ale.org
> >> http://mail.ale.org/mailman/listinfo/ale
> >>
> >>
> >
> >
> >
> > --
> > Greg Freemyer
> > Litigation Triage Solutions Specialist
> > http://www.linkedin.com/in/gregfreemyer
> > First 99 Days Litigation White Paper -
> >
> http://www.norcrossgroup.com/forms/whitepapers/99%20Days%20whitepaper.pdf
> >
> > The Norcross Group
> > The Intersection of Evidence & Technology
> > http://www.norcrossgroup.com
> >
>
>
>
> --
> Greg Freemyer
> Litigation Triage Solutions Specialist
> http://www.linkedin.com/in/gregfreemyer
> First 99 Days Litigation White Paper -
> http://www.norcrossgroup.com/forms/whitepapers/99%20Days%20whitepaper.pdf
>
> The Norcross Group
> The Intersection of Evidence & Technology
> http://www.norcrossgroup.com
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20080818/e79c23d3/attachment-0001.html

More information about the Ale mailing list