Date: Thu, 10 Feb 2011 09:03:32 -0500 From: Vadym Chepkov <vchepkov@gmail.com> To: Daniel Hartmeier <daniel@benzedrine.cx> Cc: freebsd-pf@freebsd.org Subject: Re: brutal SSH attacks Message-ID: <94DFDF09-6C43-4A4D-B76A-FDFBF7C588B6@gmail.com> In-Reply-To: <20110210075258.GB16942@insomnia.benzedrine.cx> References: <D04005BA-E154-4AE3-B14B-F9E6EF1269B0@gmail.com> <5A0B04327C334DA18745BFDBDBECE055@charlieroot.de> <A6E48F78-AC10-40DE-9345-86D14CC4D3A1@gmail.com> <98689EFE59404E4B838E79071AABA8B4@charlieroot.de> <56413CA2-EE4F-4E06-B044-0982E864E44D@gmail.com> <A141DF22-E35C-46BD-B88B-D68800812359@gmail.com> <20110209185118.GA16942@insomnia.benzedrine.cx> <FB3E9540-742A-4783-9813-B7DBCD515C7E@gmail.com> <20110210075258.GB16942@insomnia.benzedrine.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
On Feb 10, 2011, at 2:52 AM, Daniel Hartmeier wrote:
>
>> Feb 8 11:27:57 castor sshd[57332]: Invalid user ashley from 113.185.0.16
>
> diff = 3, count -= 8770 * 3 / 60, += 1000, count = 9332, last = 57
>
> Now count is larger than your limit 9000, and the threshold is
> triggered, after 15 connections (the 16th is probably due to syslog
> not showing the precise timestamps).
Except it didn't :(
I just gave a simple of one minute interval.
I didn't want to post all entries to the list:
# bzgrep 113.185.0.16 /var/log/auth.log.0.bz2 | wc -l
939
Vadym
>
> You can re-calculate the steps with 30 <seconds> (instead of 60),
> and see how it triggers...
>
> Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?94DFDF09-6C43-4A4D-B76A-FDFBF7C588B6>