With the increased number of "brute force" login attempts against port 22, I am concerned that an intruder may actually stumble accross a valid user/pass combination. To combat this, I would like to request an sshd_config option that would cause the running sshd parent process to keep track of login failures by IP address. If there are more than X number of login failures for a particular IP address over a fixed period of time, simply deny login to all attempts after the first X tries. While there is a possibility of creating a denial of service for a particular incoming IP address, one can workaround a temporarily blocked IP by attempting to login from a different IP address. Most people have access to more than one. Thoughts? Regards, Seann Herdejurgen seann at herdejurgen.com
Seann Herdejurgen wrote:> With the increased number of "brute force" login attempts against > port 22, I am concerned that an intruder may actually stumble accross > a valid user/pass combination. To combat this, I would like to > request an sshd_config option that would cause the running sshd > parent process to keep track of login failures by IP address. If > there are more than X number of login failures for a particular IP > address over a fixed period of time, simply deny login to all > attempts after the first X tries.We are pretty sure that we don't want to do this for a variety of reasons. But, that doesn't stop you from doing it with a little perl script that watches syslog and pokes addresses into your packet filter of choice. This has been discussed on the list a couple of times, pleast check the archives for more detailled comments. I have some other ideas on how to mitigate these attacks in sshd, hopefully I'll have time to implement them soon. -d
On Fri, 13 May 2005, Seann Herdejurgen wrote:> a valid user/pass combination. To combat this, I would like to request > an sshd_config option that would cause the running sshd parent process > to keep track of login failures by IP address. If there are more than X > number of login failures for a particular IP address over a fixed period > of time, simply deny login to all attempts after the first X tries.check out pam_tally. I've not used it but googling shows some reports of success with ssh. -- David Leonard Resource Central software engineer Vintela Inc.; Brisbane, Australia VoIP: US: 801-655-2755 AU: 07-3023-5133