Bogus "account hacked" message
Jon Elson
elson at pico-systems.com
Tue Jan 8 20:56:34 CST 2019
On 01/08/2019 04:33 PM, Fred Cisin via cctalk wrote:
> On Tue, 8 Jan 2019, allison via cctalk wrote:
>> SStandard lockout after three fails i 15 minutes.�
>
> Howzbout:
> a quarter second lockout after a fail;
> double that for each subsequent fail.
> Three tries to get it right will not be inconvenienced.
> But, by 32 tries, it's up to a biillion seconds.
>
Interesting observation I made a few years ago. I run a web
store, and was being inundated with ssh login attempts.
About 1000/day! I decided this was serious, they'd
eventually get lucky.
So, searching available software, I found denyhosts. It
checks the logs for login failures, and after a set
threshold, it puts the source IP into the hosts.deny list,
and your machine effectively disappears from that source
IP's view. I set the rules very strictly, so that after 3
login failures over a 2 month span, that IP was blocked for
a year. Something very interesting happened.
The number of attempts did not diminish immediately, as the
botnets had a large number of compromised machines. But,
suddenly, two weeks to the EXACT HOUR when I set up
denyhosts, the attacks dropped from 1000/day to 3! Just
like flipping a switch! So, these hackers have a dark net
list somewhere where they trade IP addresses of machines
they would like to hack, and what they can figure out about
the security measures implemented on them. When they have
demonstrated by coordinated attempts that your lockout
horizon is over two weeks, they put out the word that your
site is not going to bear any fruit.
I currently have 9000-some blocked IPs in hosts.deny, I
wonder how much that slows down my store. Ugh, the stuff we
are forced to go through.
Jon
More information about the cctalk
mailing list