Hi! I need to delay failed ssh password authentication as an additional measure against brute force ssh attacks. I understand, that shoud be accomplished through pam, but googling gave me no example. I have CentOS 5.2. -- Veiko Kukk
> Hi! > > I need to delay failed ssh password authentication as an additional > measure against brute force ssh attacks. I understand, that shoud be > accomplished through pam, but googling gave me no example. I have CentOS > 5.2.Hi I think you can use iptables and ipt_recent for this case. Pls search by ipt_recent.
Veiko Kukk wrote:> Hi! > > I need to delay failed ssh password authentication as an additional > measure against brute force ssh attacks. I understand, that shoud be > accomplished through pam, but googling gave me no example. I have > CentOS 5.2.I think I'd set MaxAuthTries to 2 in /etc/ssh/sshd_config (give your legit users one chance when they mistype the password), then use the iptables stuff to rate limit ssh connections from a given source IP, after a few connection attempts in < 1 minute, blacklist that IP for a half hour or something. you don't want to set it TOO sensitive or you'll find yourself unable to open several shell windows to the same host (something I do frequently so I can have one for an edit session or running an installer or sommething, and another for man or for doing root stuff, or whatever.
Hi, You can create the iptables rules to block the ssh connection limit rate wise. Create a new chain named ssh_check /sbin/iptables -N SSH_CHECK Redirecting all request for 22 port to new chain SSH_CHECK /sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK Then allow all of your valid remote ip's that are allowed to login /sbin/iptables -I SSH_CHECK 1 -s 1.2.3.4 -j ACCEPT /sbin/iptables -I SSH_CHECK 2 -s 10.10.2.2 -j ACCEPT Then for the rest of the ip it wont allow more than 4 connection within this 60 seconds interval, its useful to prevent brute force attack. /sbin/iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP Regards. crazy paps On Fri, Nov 28, 2008 at 12:36 PM, Veiko Kukk <veiko.kukk at krediidipank.ee> wrote:> Hi! > > I need to delay failed ssh password authentication as an additional measure > against brute force ssh attacks. I understand, that shoud be accomplished > through pam, but googling gave me no example. I have CentOS 5.2. > > -- > Veiko Kukk > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >
Gerhardus.Geldenhuis at gta-travel.com
2008-Nov-28 16:14 UTC
[CentOS] How to delay failed ssh auth
Hi You could install a new pam module http://www-uxsup.csx.cam.ac.uk/~pjb1008/project/pam_delay/ Although I have not tested it. Regards> -----Original Message----- > From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On > Behalf Of Veiko Kukk > Sent: 28 November 2008 07:06 > To: centos at centos.org > Subject: [CentOS] How to delay failed ssh auth > > Hi! > > I need to delay failed ssh password authentication as an additional > measure against brute force ssh attacks. I understand, that shoud be > accomplished through pam, but googling gave me no example. I have > CentOS > 5.2. > > -- > Veiko Kukk > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
Veiko Kukk wrote:> I need to delay failed ssh password authentication as an additional > measure against brute force ssh attacks. I understand, that shoud be > accomplished through pam, but googling gave me no example. I have CentOS > 5.2.pam_sheild and pam_delay are both modules you can use for stuff like this, although I dont personally like either. If you get thousands of hits per hour, pam's internal response time gets slowed down, and its not insignificant unless you have exceptionally large machines. Same thing with log watchers including denyhosts / fail2ban etc, the overhead isnt really worth it, at the moment switching ports to something else non-standard works well, needs no extra s/w etc. - KB
> -----Original Message----- > From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On > Behalf Of Veiko Kukk > Sent: 28 November 2008 07:06 > To: centos at centos.org > Subject: [CentOS] How to delay failed ssh auth > > Hi! > > I need to delay failed ssh password authentication as an additional > measure against brute force ssh attacks. I understand, that shoud be > accomplished through pam, but googling gave me no example. I have > CentOS > 5.2. > > -- > Veiko KukkYou may find this thread helpful. http://lists.centos.org/pipermail/centos/2008-January/051102.html -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3