Bogus "account hacked" message

Jon Elson elson at pico-systems.com
Tue Jan 8 20:56:34 CST 2019


On 01/08/2019 04:33 PM, Fred Cisin via cctalk wrote:
> On Tue, 8 Jan 2019, allison via cctalk wrote:
>> SStandard lockout after three fails i 15 minutes.�
>
> Howzbout:
> a quarter second lockout after a fail;
> double that for each subsequent fail.
> Three tries to get it right will not be inconvenienced.
> But, by 32 tries, it's up to a biillion seconds.
>
Interesting observation I made a few years ago.  I run a web 
store, and was being inundated with ssh login attempts.  
About 1000/day!  I decided this was serious, they'd 
eventually get lucky.
So, searching available software, I found denyhosts.  It 
checks the logs for login failures, and after a set 
threshold, it puts the source IP into the hosts.deny list, 
and your machine effectively disappears from that source 
IP's view.  I set the rules very strictly, so that after 3 
login failures over a 2 month span, that IP was blocked for 
a year.  Something very interesting happened.
The number of attempts did not diminish immediately, as the 
botnets had a large number of compromised machines.  But, 
suddenly, two weeks to the EXACT HOUR when I set up 
denyhosts, the attacks dropped from 1000/day to 3!  Just 
like flipping a switch!  So, these hackers have a dark net 
list somewhere where they trade IP addresses of machines 
they would like to hack, and what they can figure out about 
the security measures implemented on them.  When they have 
demonstrated by coordinated attempts that your lockout 
horizon is over two weeks, they put out the word that your 
site is not going to bear any fruit.

I currently have 9000-some blocked IPs in hosts.deny, I 
wonder how much that slows down my store.  Ugh, the stuff we 
are forced to go through.

Jon



More information about the cctalk mailing list