[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: more fun - Re: Securing SSH: How to enable FAIL_DELAY?



On 08/20/04 09:30, John Summerfield wrote:
Ralph Katz wrote:

On 08/18/04 21:13, Alvin Oga wrote:

i assume you have enabled tcp_wrappers on sshd ??




and for more fun, you can put sshd logins into their own chroot jails



That's a good suggestion for a different situation, thanks.

I want to enable FAIL_DELAY, if that's possible, to make the host less attractive to attackers and lower the overhead fending off login probes.

So, how can FAIL_DELAY be enabled for ssh? Or is it just unavailable to sshd?


Take a look at the pop-before-smtp package.

It scans the system mail log looking for sucessful imap/pop3 logins and enables mail relaying from those addresses for a short time. A similar approach could be used to block traffic altogether from wannabees. Look for messages like these: Sep 20 20:12:45 kowari sshd[2545]: error: PAM: Authentication failure for summer from dolphin.demo.room Sep 20 20:12:45 kowari sshd[2545]: Failed keyboard-interactive/pam for summer from 192.168.9.114 port 36635 ssh2 Sep 20 20:12:47 kowari sshd[2545]: Failed password for summer from 192.168.9.114 port 36635 ssh2

It would be reasonable to drop all traffic from such an address for a while: an hour would probably be adequate. You could also perhaps think of dropping the whole class C.


While I appreciate the suggestion and looked at the package description, I don't see how a package that looks at mail logs is going to help. ;)

I want something simple; just to have the FAIL_DELAY from /etc/login.defs (or its equivalent) work for sshd, so attempted illicit logins get considerably delayed and thus discouraged.

From the lack of replies to this specific point, I'll assume it's not possible. Thanks to all who replied.

Readers wanting to secure ssh should also consult The Securing Debian docs, specifically Securing SSH:

http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html#s5.1



Reply to: