[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What to do about SSH brute force attempts?

On Thu, 21 Aug 2008 16:58:45 +0200, Michael Tautschnig writes:
>> * use a Firewall to prevent other IP address to connect to your ssh
>> service. restrict just to yours (iptables script can be easy to find on
>> the web)
>Well, I should have added that my hosts must be world-wide accessible using
>password-based authentication, so this is no option.

i'm using pam_recent to toss out the obvious fakers after a few missed
attempts. that way i still have the capability for password authentication
but without having to keep track of acceptable source ips and similar hassle.

how does it work? 
my iptables setup allows only a very limited number of new ssh connections 
per time period, after which it blocks new conns (simple application
of the "recent match" module). to let legitimate users through without
limitations i use my pam_recent helper:
this is a tiny pam session module which removes the ipt_recent
entry for the given peer ip address. hence every time somebody manages to 
login cleanly they get another set of new conns allowed, while the 
bruteforcers get blocked after a few unsuccessful attempts. 

the main benefit over fail2ban and similar is that a pam_recent setup
needs no log tailing, no dynamic iptables rules, databases or similar.

details and code: http://snafu.priv.at/mystuff/recent-plus-pam.html


+ Alexander Zangerl + DSA 42BD645D + (RSA 5B586291)
Fachbegriffe der Informatik, CIDR: 
 Die dezimale Quersumme der binären Repräsentation der Netzmaske. -- Aldo

Attachment: signature.asc
Description: Digital Signature

Reply to: