[NBLUG/talk] opensshd delay after fail
Dave Sisley
dsisley at sonic.net
Mon Oct 17 14:57:23 PDT 2005
Bob Blick wrote:
>Everybody who reads their logs sees brute force ssh login attempts, once
>per second or more frequently.
>
>For highest security, having no users and disabling interactive ssh is the
>way to go, but this is impractical.
>
>Some people have routed sshd through the pam modules to add a delay, but
>pam doesn't behave the way one would like for ssh.
>
>Has anyone found a solution that adds a delay to sshd for failed login
>attempts? A patch to opensshd or an alternative to opensshd?
>
>Thanks,
>
>Bob
>
>
>
>_______________________________________________
>talk mailing list
>talk at nblug.org
>http://nblug.org/cgi-bin/mailman/listinfo/talk
>
>
>
>
Hey, Bob:
I got a lot of help from this list last year (link to the relevant
thread in the NBLUG List Archive
<http://nblug.org/pipermail/talk/2004-October/008069.html>) on this very
subject. The suggestions I liked were:
- no root login
- use a different port for ssh
- use key pair authentication
My needs may be simpler than yours - I'm the only one who needs to log
into my machine. I also thought it would be impractical to set up key
pairs, and that I would end up not being able to log into my box from
some random machine out in the world. I left myself a sort of backdoor,
however:
I have an account on another machine, where I keep the public key for my
home machine. If I really need to reach my machine from someplace where
I do not have a key, I log into the aforementioned account and then hop
to my machine from there.
I invite the security-minded among us to scold me if that sounds like a
bad idea, but I thought I'd mention it as an option.
-dave.
More information about the talk
mailing list