[NBLUG/talk] opensshd delay after fail
Kyle Rankin
kyle at nblug.org
Mon Oct 17 09:13:13 PDT 2005
On Mon, Oct 17, 2005 at 09:22:07AM -0700, Bob Blick wrote:
> Everybody who reads their logs sees brute force ssh login attempts, once
> per second or more frequently.
>
> For highest security, having no users and disabling interactive ssh is the
> way to go, but this is impractical.
>
> Some people have routed sshd through the pam modules to add a delay, but
> pam doesn't behave the way one would like for ssh.
>
> Has anyone found a solution that adds a delay to sshd for failed login
> attempts? A patch to opensshd or an alternative to opensshd?
>
> Thanks,
>
> Bob
>
That's one way to approach the problem, but I've seen another solution that
works just as well if not better. There are a number of scripts floating
around that will parse your logs for failed ssh attempts and then if the #
of failed attempts for a particular IP crosses a threshold (say 5 attempts)
the IP is added to hosts.deny. Granted this will require that your ssh
works with tcpwrappers, but the end result is pretty effective--someone
tries a few username/password combos and gets locked out for good.
--
Kyle Rankin
NBLUG President
The North Bay Linux Users Group
http://nblug.org
IRC: greenfly at irc.freenode.net #nblug
kyle at nblug.org
More information about the talk
mailing list