From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1FnGkm-0005FG-B4 for garchives@archives.gentoo.org; Mon, 05 Jun 2006 15:12:28 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.6/8.13.6) with SMTP id k55FBFi3003335; Mon, 5 Jun 2006 15:11:15 GMT Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.193]) by robin.gentoo.org (8.13.6/8.13.6) with ESMTP id k55F6b1x025596 for ; Mon, 5 Jun 2006 15:06:37 GMT Received: by nz-out-0102.google.com with SMTP id z3so979008nzf for ; Mon, 05 Jun 2006 08:06:37 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=QfiaZWnEX93mSpKpYmKCT8UdMYyfBOCTxfFnhANhVlFImcK6RBi0DmsJyMeR4vWW1AT3H0lUKybwhcrb5vE+C3eEv9fo+h5SO00FMtY+f+3vaR4GHnJweOwHlHzo1nsGudWt991P1L2nkzhBm5WSRPDaQrCtXO2nx0B1Ov6wjaQ= Received: by 10.36.252.43 with SMTP id z43mr1337173nzh; Mon, 05 Jun 2006 08:06:37 -0700 (PDT) Received: by 10.37.20.28 with HTTP; Mon, 5 Jun 2006 08:06:37 -0700 (PDT) Message-ID: <5bc4c4570606050806w6497ae95x6164274b3cc33b3e@mail.gmail.com> Date: Mon, 5 Jun 2006 12:06:37 -0300 From: "Leandro Melo de Sales" To: gentoo-user@lists.gentoo.org Subject: [gentoo-user] SSH authentication attempts - serious issue Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Archives-Salt: 347cd654-8122-453f-9deb-5f69c4d1dc90 X-Archives-Hash: 525eec2ceb79e84b7b257b0599dd3ec7 Hi, today when I was checking the server log I got many external attempts to connect to my sshd service: ... Jun 5 05:09:45 embedded sshd[4740]: Invalid user barbara from x.y.w.z Jun 5 05:09:46 embedded sshd[4742]: Invalid user barb from x.y.w.z Jun 5 05:09:48 embedded sshd[4744]: Invalid user barbie from x.y.w.z Jun 5 05:09:50 embedded sshd[4746]: Invalid user barbra from x.y.w.z Jun 5 05:09:51 embedded sshd[4748]: Invalid user barman from x.y.w.z Jun 5 05:09:53 embedded sshd[4750]: Invalid user barney from x.y.w.z ... this seems to be a brute force attack, but one thing that worried me is why sshd didn't disconnect the remote host after 3 unsuccessful attemps? If we see in the log, there are many attemps with time interval between attemps of 2 or 3 seconds meaning that the sshd didn't disconnect the remote host after 3 attempts. So, first, Am I thinking correct about the sshd attempts? Second, how can I setup sshd or the entire system to permit just 2 or 3 attempts of authentication? I was checking the /etc/login.defs file and I see the following option: # # Max number of login retries if password is bad # LOGIN_RETRIES 3 but why this didn't work for the above connection attempts? Thank you, Leandro. -- gentoo-user@gentoo.org mailing list