On Wed, Oct 20, 2004 at 06:04:29PM +0200, Javier Fernández-Sanguino Peña wrote: > > To tarpit remote password/login attempts I think it would be best > if you just tarpited remote attempts for _invalid_ users which I believe > you are currently not accounting for. Notice that even if there are known > user accounts there is a slim chance that your system might have one of > those (unless you are asking for trouble), so you actually get more > attempts for invalid users that attempts for valid users with wrong > passwords. (This thread has been quite silent after my post, let's see if someone bites...) For those that might not agree with the above, maybe the following URL (From a honeynet diary I just stumbled into ) migh be useful: http://www.security.org.sg/gtec/honeynet/viewdiary.php?diary=20041026 The diary documents 117 password attempts in a single day, for ~50 users. Root concentrates a lot of password attempts (over half of those) but the rest are targeted towards many different users (which don't exist in the system at all) Cheers! Javier PS: A similar pattern can be found at http://www.security.org.sg/gtec/honeynet/viewdiary.php?diary=20041012 (110 password attempts, 53% for root and the others distributed in common user accounts). Only 12% of the users tests are legitimate users.
Description: Digital signature