[thelist] SSH login attacks

sbeam sbeam at onsetcorps.net
Thu May 5 10:08:12 CDT 2005

On Thursday 05 May 2005 06:47 am, Getafixx wrote:
> the script seams to try 4 passwords for each account. But frankly they 
> are trying accounts that no one in their right mind would set up 
> (apart from root)

you will get these almost every day on any machine that listens on port 

> OR do you have the first attempt return quickyly and then later 
> from the same IP (even if they are a few seconds appart) jut keep 
> squaring the time taken to return, so 1 2 4 16 96 9216 84934656 
> 7213895789838336 and so on.. so that you are just slowly killing the 
> attempts.

This sounds good but there is no way to do it with sshd that I know of. 
Have seen scripts that scan the logs and add the offending IPs to 
hosts.deny, you could google that. 

Also look up pam_tally if you are on a linux/bsd system that uses PAM. 
Never used it but it seems like it might do what you want if you get it 

Another simpler idea is to run ssh on a non-standard port. That works 
well for systems with just a few known users who know what a port is.


# S Beam - Web App Dev Servs
# http://www.onsetcorps.net/

More information about the thelist mailing list