Welcome to WebmasterWorld Guest from 126.96.36.199
Forum Moderators: bakedjake
Obviously I would begin by blocking the IP. Should I create a script to temporarily block an ip for say 24 hours if an attempt to login fails three times from the same IP.
What do you guys/gals do in these cases?
Thank you for replies.
You could also use iptables to drop an IP block after a certain IP or TTL attempt has happened, set your pw's to some insane 20 char alph / num passwd...
What service is being attacked? SSH? FTP? HTTP?
DenyHosts is what I am using for SSH...
For local shell access you could look into port knocking as a deterrent...
Daemon Shield may be your best friends here, it will monitor syslog for too many login attempts...
OF COURSE disable root login ability.
1a) Obviously make sure that your passwords are good and enforce password creation rules.
1b) Use unusual account names if you can.
1c) Forbid direct root logins if you can
2) If you have anything which limits the number of attempts per unit time on any one account or from any one remote address then turn it on. SSH has some of this out of the box for example.
3) If you can limit which accounts have remote login access at all, then do. Root should not have direct remote access, ie an attacker has to break into at least 2 accounts rather than 1 to do anything really bad.
4) Insist on private/public keys for remote access, eg with SSH, if possible, which more-or-less eliminates the whole notion of a dictionary attack. I do that for most of my remote servers.