auth.log many failed attempts in one second despite MaxAuthTries
 

Recently we got a spate of attacks on our server. Now the strange thing is that auth.log logs many failed attempts for the exact same time (same second) even though there should be a 3 second delay between each attempt (we run Debian Squeeze Server). Moreover, I had set MaxAuthTries in the sshd_config to 2!


Now, are these actually 5 connection attempts in total, or one attempt for each log line (which seems technically impossible)? Thanks for your help!

Looks like you have MaxStartups at the default of 10, which means sshd allows 10 connections at a time in parallel. I rate-limit repeated attempts from one IP address using iptables. My rules are:

However, they still keep coming in at the lower rate. I'm currently getting attacks from
219.234.131.41: BEIJING SHEN-GE-JIN-WANG CO.LTD at about 1 every 30 seconds.

Hopefully you don't allow remote login as root, so no password will work.

Better yet is to use digital-certificate authentication and disable passwords as a possibility altogether. (Password-protect, that is to say, encrypt, the certificate itself.)

Think about it: when you walk into an office building, there isn't someone standing there requiring you to say the magic word ("sesame"). There's a badge reader. You can't invent badges: either you have one or you don't, and if you do, either your unique badge is enabled or it isn't. End of story. Apply exactly the same methodology to your SSH (or any other type of ...) security. The certificate that you issue to any employee is absolutely unique and un-forgeable. Either they can present it, or they can't. Either you accept the unique credential and grant access, or you don't. ("Passwords? Schmasswords! Hey, we don't use hieroglyphics anymore, either!")

Thanks guys, I have adjusted MaxStartups and that should restrict these guys quite a bit! I am aware of public key authentication and that is also an option.