[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PAM tarpit module for repeated SSH login attempts

On Wed, Oct 20, 2004 at 06:04:29PM +0200, Javier Fernández-Sanguino Peña  wrote:
> To tarpit remote password/login attempts I think it would be best 
> if you just tarpited remote attempts for _invalid_ users which I believe 
> you are currently not accounting for. Notice that even if there are known 
> user accounts there is a slim chance that your system might have one of 
> those (unless you are asking for trouble), so you actually get more 
> attempts for invalid users that attempts for valid users with wrong 
> passwords. 

(This thread has been quite silent after my post, let's see if someone

For those that might not agree with the above, maybe the following URL 
(From a honeynet diary I just stumbled into ) migh be useful:

The diary documents 117 password attempts in a single day, for ~50 users. 
Root concentrates a lot of password attempts (over half of those) but the 
rest are targeted towards many different users (which don't exist in the 
system at all) 



PS: A similar pattern can be found at
(110 password attempts, 53% for root and the others distributed in common 
user accounts). Only 12% of the users tests are legitimate 

Attachment: signature.asc
Description: Digital signature

Reply to: