Re: SSH Cracking Attempts
On Thu, 30 Sep 2004 20:20:59 -0400
Ralph Katz <ralph.katz@rcn.com> wrote:
> > From: Jacob S (stormspotter@6Texans.net)
> > Subject: SSH Cracking Attempts
> >
<snip - problems with crackers looking for weak username/password
combinations>
>
> The closest I've come to finding something that would help is this,
> but I don't know how to apply this to Debian:
>
> http://lists.sans.org/pipermail/list/2004-July/061242.html
>
> >> Is there any way I can lock out a account/machine after a certain
> >number of > failed login attempts via ssh ?
> >> similar to what happends on the console of a *nix box or the
> >windows login > screen
> >
> > You haven't said what OS. If it uses pam, then you'll have to swat
> > up on pam. Have a look at the pam_tally module; on my RH RHAS3
> > machines, the docs are in /usr/share/doc/pam-0.75/html. You'd modify
> > /etc/pam.d/sshd or /etc/pam.d/system-auth on a RedHat 8, 9 or ES
> > installation.
> >
> > Example: Add the following to /etc/pam.d/(sshd|system-auth):
> >
> > account required /lib/security/$ISA/pam_tally.so onerr=fail
> > file=/var/log/faillog deny=3 no_magic_root even_deny_root_account
> >
> > Reset failed logins (cron!) with /sbin/pam_tally.
> >
>
> I can't find anything relevant on pam or /etc/ssh/sshd_config. Sure,
> there is denying root logins, RhostsRSAAuthentication for known hosts,
>
> hosts allow and hosts deny, but those solutions address different
> situations. But your question remains key for me:
>
> > Is there a way to tell ssh to refuse
> > connections from an ip address after a certain number of failed
> > login attempts,
>
> Or to send it to a tarpit?
>
> Any ideas?
>
> Oh, you can report attacks at
> http://www.dshield.org/ and get more info.
Excellent, Ralph. Thanks!
I did a little bit of playing around with this on one of the machines
inside my network before using it on my public server, just to be safe.
:-)
Doing a google search on 'pam_tally cron' turned up some nice results,
thanks to your links. I added the two following lines to /etc/pam.d/ssh
as partially referenced in one of your links, though I think the second
line may be the only one needed:
auth required /lib/security/pam_tally.so onerr=fail
no_magic_root
account required /lib/security/pam_tally.so file=/var/log/faillog
deny=3 no_magic_root even_deny_root_account reset
Each of those should be on a single line, but my mailer wrapped them due
to length.
I also found the following links, that may be of some help:
http://www.baverstock.org.uk/tim/pam/
http://cvs.sourceforge.net/viewcvs.py/pam/Linux-PAM/modules/pam_tally/README?rev=1.2
http://www.linuxquestions.org/questions/showthread.php?s=&postid=1107789#post1107789
These do a great job of locking down an account while it's under attack.
The unfortunate part is that it simply locks down that account, instead
of only locking it when the user is coming from the offending ip.
Also, just because an account (say 'fred') has been locked by an
offender on ip 123.123.456.456, that does not keep that same ip from
successfully logging into the same machine as user 'george', if they
know the right password and get it within the specified number of tries.
There are pros to this as well, but overall I think they're mainly cons.
At this point I'm thinking tarpitting may provide the more thorough yet
tailored approach, but I'm still in the process of doing research on it.
And, depending on how it works, these two different approaches may be
worth using in parallel.
Thanks again,
Jacob
Reply to: