Re: [CentOS] How to delay failed ssh auth
Hi, You can create the iptables rules to block the ssh connection limit rate wise. Create a new chain named ssh_check /sbin/iptables -N SSH_CHECK Redirecting all request for 22 port to new chain SSH_CHECK /sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK Then allow all of your valid remote ip's that are allowed to login /sbin/iptables -I SSH_CHECK 1 -s 1.2.3.4 -j ACCEPT /sbin/iptables -I SSH_CHECK 2 -s 10.10.2.2 -j ACCEPT Then for the rest of the ip it wont allow more than 4 connection within this 60 seconds interval, its useful to prevent brute force attack. /sbin/iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP Regards. crazy paps On Fri, Nov 28, 2008 at 12:36 PM, Veiko Kukk [EMAIL PROTECTED] wrote: Hi! I need to delay failed ssh password authentication as an additional measure against brute force ssh attacks. I understand, that shoud be accomplished through pam, but googling gave me no example. I have CentOS 5.2. -- Veiko Kukk ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] How to delay failed ssh auth
Hi You could install a new pam module http://www-uxsup.csx.cam.ac.uk/~pjb1008/project/pam_delay/ Although I have not tested it. Regards -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Veiko Kukk Sent: 28 November 2008 07:06 To: centos@centos.org Subject: [CentOS] How to delay failed ssh auth Hi! I need to delay failed ssh password authentication as an additional measure against brute force ssh attacks. I understand, that shoud be accomplished through pam, but googling gave me no example. I have CentOS 5.2. -- Veiko Kukk ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to delay failed ssh auth
Veiko Kukk wrote: I need to delay failed ssh password authentication as an additional measure against brute force ssh attacks. I understand, that shoud be accomplished through pam, but googling gave me no example. I have CentOS 5.2. pam_sheild and pam_delay are both modules you can use for stuff like this, although I dont personally like either. If you get thousands of hits per hour, pam's internal response time gets slowed down, and its not insignificant unless you have exceptionally large machines. Same thing with log watchers including denyhosts / fail2ban etc, the overhead isnt really worth it, at the moment switching ports to something else non-standard works well, needs no extra s/w etc. - KB ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to delay failed ssh auth
Hi! I need to delay failed ssh password authentication as an additional measure against brute force ssh attacks. I understand, that shoud be accomplished through pam, but googling gave me no example. I have CentOS 5.2. Hi I think you can use iptables and ipt_recent for this case. Pls search by ipt_recent. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] How to delay failed ssh auth
Veiko Kukk wrote: Hi! I need to delay failed ssh password authentication as an additional measure against brute force ssh attacks. I understand, that shoud be accomplished through pam, but googling gave me no example. I have CentOS 5.2. I think I'd set MaxAuthTries to 2 in /etc/ssh/sshd_config (give your legit users one chance when they mistype the password), then use the iptables stuff to rate limit ssh connections from a given source IP, after a few connection attempts in 1 minute, blacklist that IP for a half hour or something. you don't want to set it TOO sensitive or you'll find yourself unable to open several shell windows to the same host (something I do frequently so I can have one for an edit session or running an installer or sommething, and another for man or for doing root stuff, or whatever. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos