Ralph Katz wrote:
On 08/18/04 21:13, Alvin Oga wrote:i assume you have enabled tcp_wrappers on sshd ??and for more fun, you can put sshd logins into their own chroot jailsThat's a good suggestion for a different situation, thanks.I want to enable FAIL_DELAY, if that's possible, to make the host less attractive to attackers and lower the overhead fending off login probes.So, how can FAIL_DELAY be enabled for ssh? Or is it just unavailable to sshd?
Take a look at the pop-before-smtp package.It scans the system mail log looking for sucessful imap/pop3 logins and enables mail relaying from those addresses for a short time. A similar approach could be used to block traffic altogether from wannabees. Look for messages like these: Sep 20 20:12:45 kowari sshd[2545]: error: PAM: Authentication failure for summer from dolphin.demo.room Sep 20 20:12:45 kowari sshd[2545]: Failed keyboard-interactive/pam for summer from 192.168.9.114 port 36635 ssh2 Sep 20 20:12:47 kowari sshd[2545]: Failed password for summer from 192.168.9.114 port 36635 ssh2
It would be reasonable to drop all traffic from such an address for a while: an hour would probably be adequate. You could also perhaps think of dropping the whole class C.
-- Cheers John -- spambait 1aaaaaaa@computerdatasafe.com.au Z1aaaaaaa@computerdatasafe.com.au Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/