Re: SSH scans vs connection ratelimiting
On 8/19/06, Pieter de Boer <pieter@thedarkside.nl> wrote:
> This works as expected, IP-addresses are added to the 'lamers'-table
> every once in a while.
>
> However, there apparently are SSH bruteforcers that simply use one
> connection to perform a brute-force attack:
>
> Aug 18 00:00:01 aberdeen sshd[87989]: Invalid user serwis from 83.19.113.122
> Aug 18 00:00:03 aberdeen sshd[88010]: Invalid user serwis from 83.19.113.122
> Aug 18 00:00:05 aberdeen sshd[88012]: Invalid user serwis from 83.19.113.122
> Aug 18 00:00:10 aberdeen sshd[88014]: Invalid user serwis from 83.19.113.122
> Aug 18 00:00:13 aberdeen sshd[88019]: Invalid user serwis from 83.19.113.122
> Aug 18 00:00:14 aberdeen sshd[88021]: Invalid user serwis from 83.19.113.122
>
>
It looks as though you need to lower 'MaxAuthTries' in your
sshd_config file, as the default is set to allow six authentication
attempts per connection.
You'll find this in the sshd_config(5) man page.
Scot
--
DISCLAIMER:
No electrons were mamed while sending this message. Only slightly bruised.
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 2 之 16 篇):