Date: Sat, 19 Aug 2006 16:29:38 -0500 From: "Scot Hetzel" <swhetzel@gmail.com> To: "Pieter de Boer" <pieter@thedarkside.nl> Cc: freebsd-security@freebsd.org Subject: Re: SSH scans vs connection ratelimiting Message-ID: <790a9fff0608191429p180c20celc7b9ebae811097cd@mail.gmail.com> In-Reply-To: <44E76B21.8000409@thedarkside.nl> References: <44E76B21.8000409@thedarkside.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On 8/19/06, Pieter de Boer <pieter@thedarkside.nl> wrote: > This works as expected, IP-addresses are added to the 'lamers'-table > every once in a while. > > However, there apparently are SSH bruteforcers that simply use one > connection to perform a brute-force attack: > > Aug 18 00:00:01 aberdeen sshd[87989]: Invalid user serwis from 83.19.113.122 > Aug 18 00:00:03 aberdeen sshd[88010]: Invalid user serwis from 83.19.113.122 > Aug 18 00:00:05 aberdeen sshd[88012]: Invalid user serwis from 83.19.113.122 > Aug 18 00:00:10 aberdeen sshd[88014]: Invalid user serwis from 83.19.113.122 > Aug 18 00:00:13 aberdeen sshd[88019]: Invalid user serwis from 83.19.113.122 > Aug 18 00:00:14 aberdeen sshd[88021]: Invalid user serwis from 83.19.113.122 > > It looks as though you need to lower 'MaxAuthTries' in your sshd_config file, as the default is set to allow six authentication attempts per connection. You'll find this in the sshd_config(5) man page. Scot -- DISCLAIMER: No electrons were mamed while sending this message. Only slightly bruised.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?790a9fff0608191429p180c20celc7b9ebae811097cd>