Re: denyhosts + tcp wrappers?
Andrew Sackville-West wrote:
> Craig Hurley wrote:
> > My understanding of how denyhosts works is that it is scheduled to parse
> > auth.log file every X seconds, identifing failed login attempts, it then
> > tallies those attempts, if the total of failed login attempts is above Y
> > The (very minor) hole here is that
> > say denyhosts runs every 30 seconds, script-happy-john has a window of 30
> > seconds to guess user name & password pairs.
But that is not a hole. Even without any type of rate limiting if
your passwords are reasonable then it is not possible to guess the
password. So it really does not matter if the script kiddies are
shaking the door all of the time. They are not going to get in.
These types of rate limiters are really only there for the aesthetics
of it and not for the security of it. Seeing those extra entries in
the log file is annoying. Hearing the disk drive rattle more often is
annoying. Rate limiting controls those non-security issues.
> to solution to this problem is to read man sshd_config and look at
> LoginGraceTime, MaxAuthTries, and MaxStartups. By tweaking these
> values (though I think they're fairly good in stock configuration) you
> can control all sorts of behaviors for ssh logins.
Good suggestions.
> The point is even looking at someone pounding it for 30 seconds
> before denyhosts picks it up, its not really a whole lot of
> attempts. Throw in some firewall rules to control frequency of
> permitted connections, and you can majorly throttle someones ability
> to dictionary attack you. If you have good passwords, you should be
> okay.
Agreed.
> finally, if possible, just turn off password authentication altogether
> and pubkey authentication.
The best suggestion yet. Using ssh rsa keys prevents even the
possibility of a dictionary attack from happening.
Bob
Reply to: