On 2017-06-30 15:35, Ed Greshko wrote:
On 06/30/17 09:10, jdow wrote:
A rule like this makes cracking your 123456 password a whole lot harder without
changing anything else.
iptables -t filter -A IN_public_deny -p tcp --dport pop3s --syn -m recent --name
pop3s_attack --rcheck --seconds 90 --hitcount 2 -j LOG --log-prefix 'SSH2
REJECT: '
--log-level info
The magic is in "-m recent --rcheck --seconds 90 --hitcount 2". That means any
given site gets one chance to login before facing a 90 second blockage. If they
have to guess "AZBYCXDW" as a password you can imagine how long you have to
catch
him in your log and explicitly block his whole subnet.
I once did rate limiting on brute force login attempts. But I found that all
the
attempts were scripted. So instead of an attack from a single IP address
happening
for a minute or so the attack simply went on for hours. The same number of
attempts
were made.
I have never seen the hours long attack. Back when I was just using the standard
ssh port I'd see one hit, one try for a password, and about 10 to 1000 rapid
fire hits on the ssh port all blocked. ONCE I saw symptoms of waiting for
several minutes and trying again. I noticed it within 24 hours even though the
dweeb only tried about 10 times. I blocked his entire IP block since it was in a
country have no desire to ever visit.
I do keep watch. If a determined person starts at the time logwatch runs,
notices the second try lockout, makes a VERY good guess of the time, and tries
every 91 seconds that's under 1000 attempts before the next logwatch time and
another 400ish times before I go through the report and notice the login
attempts. Suppose the password is a nonsense word 5 to 8 characters long. How
likely is he to be able to fuzz it within 1400 tries? I end up with a cluttered
log and a blocked IP range before dweeble can go any further. I'd also equally
quickly notice attempts from multiple IPs. In theory with thousands of sites
pounding mine he could achieve access to a machine setup like mine on a
pathetically slow DSL link in a few days. It would stand out in my logs like a
huge red flare during a dark Moonless night. Emotionally I operate the firewall
as if I had sshd with passworded root access open so that I watch it closely. I
don't want to get complacent. (Long semi-nonsense passwords tend to do that,
especially when you have throw-away accounts with such passwords that have not
been cracked in the three decades I have been online from the old CPM days
through to today.)
{^_^}
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
