[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

PAM tarpit module for repeated SSH login attempts

Hi list,

Having tired of seeing attempts to log in as root via SSH in my logs, I
wrote a quick-and-dirty hack to the pam_tally module in order to
implement a tarpit.  Here's the code: (License is of course GPL)


This will work if you use PAM with SSH, even if you have PermitRootLogin
set to "no" (which should generally be the case anyway).  See the
included README for the lines to add to /etc/pam.d/ssh .  For each
failed login attempt after the first three, the module increases the
amount of time required to wait for the next login attempt by a factor
of two.

Caveat: this module doesn't (yet) implement IP tracking, so there is
some danger of a DoS.  Since the current SSH dictionary attacks appear
only to try cracking root and other non-user accounts, if you don't
permit root to login by SSH anyway, the danger is not so high.  You
might also want to add a cron job to delete the /var/log/faillog file
every so often.


Kevin B. McCarty <kmccarty@princeton.edu>   Physics Department
WWW: http://www.princeton.edu/~kmccarty/    Princeton University
GPG public key ID: 4F83C751                 Princeton, NJ 08544

Reply to: