Re: protecting multiuser systems from bruteforce ssh attacks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

 

-----Original Message-----
From: centos-bounces@xxxxxxxxxx [mailto:centos-bounces@xxxxxxxxxx] On
Behalf Of Eugene Vilensky
Sent: Thursday, August 20, 2009 10:15 PM
To: CentOS mailing list
Subject:  protecting multiuser systems from bruteforce ssh
attacks

Hello,

What is the best way to protect multiuser systems from brute force
attacks?  I am setting up a relatively loose DenyHosts policy, but I
like the idea of locking an account for a time if too many attempts are
made, but to balance this with keeping the user from making a helpdesk
call.
What are some policies/techniques that have worked for this list with
minimal hassle?

Hi Eugene,

Depends on the number of users (as you mentioned "mutisuser" ) And how
strong you want your system to be protected.
If its not a couple of thousands, i would suggest:
Disabling password-login alltogether, and use keys only.

On the other hand, you can also demand that all connection must be made
by using a vpn-connection (openvpn/ipsec). 
After that you can be assured that any attempt is from a local user.

Both are a much stronger protection than allow/deny or
firewall-mechanisms

Hans

______________________________________________________________________
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux