On Thu, Jul 12, 2007 at 06:37:13PM +0100, Craig Hurley wrote: > On 11/07/2007 04:44, Bob Proulx wrote: >> If you are finding 'denyhosts' difficult then you may want to install >> 'fail2ban' as one standalone method to stop this since it is extremely >> simple. It should work out of the box. > > Denyhosts did work out of the box. > > My understanding of how denyhosts works is that it is scheduled to parse > auth.log file every X seconds, identifing failed login attempts, it then > tallies those attempts, if the total of failed login attempts is above Y > write the source IP to /etc/hosts.deny. The (very minor) hole here is that > say denyhosts runs every 30 seconds, script-happy-john has a window of 30 > seconds to guess user name & password pairs.
to solution to this problem is to read man sshd_config and look at LoginGraceTime, MaxAuthTries, and MaxStartups. By tweaking these values (though I think they're fairly good in stock configuration) you can control all sorts of behaviors for ssh logins. MaxAuthTries is set to 6 and starts logging at half that value. At six failures the connection is dropped. MaxStartups is 10, which means that at most 10 unauthenticated connections at a time. With all ten going, that's 60 attempts per shot basically. The point is even looking at someone pounding it for 30 seconds before denyhosts picks it up, its not really a whole lot of attempts. Throw in some firewall rules to control frequency of permitted connections, and you can majorly throttle someones ability to dictionary attack you. If you have good passwords, you should be okay. There are other features you can throw in like "random early drop" using the MaxStartups value. That will randomly kick people (depending on how you set it) once you're above some threshold. finally, if possible, just turn off password authentication altogether and pubkey authentication. A
signature.asc
Description: Digital signature
