Re: a GOOD idea to harden OpenSSH!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



--- On Wed, 3/30/11, nagygabor88 <nagygabor88@xxxxxxxx> wrote:

> From: nagygabor88 <nagygabor88@xxxxxxxx>
> Subject: a GOOD idea to harden OpenSSH!
> To: "OpenSSH list" <secureshell@xxxxxxxxxxxxxxxxx>
> Date: Wednesday, March 30, 2011, 12:19 PM
>
> 
> if a user wants to connect to an ssh server then he have to
> wait a couple of seconds, then he can write his passphare. 
> the "couple of seconds" is defined in the sshd config,
> e.g.: 2 seconds 
> the method musn't show that the user have to wait 2 seconds
> to write his passphare. 
> 

This can already be similarly done using iptables, with entries such as:
$IPTABLES -N SSH_CHECK
$IPTABLES -I INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
$IPTABLES -A SSH_CHECK -m recent --set --name SSH
$IPTABLES -A SSH_CHECK -m recent --update --seconds 180 --hitcount 5 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
$IPTABLES -A SSH_CHECK -m recent --update --seconds 180 --hitcount 5 --rttl --name SSH -j DROP

What this does:  If I get more than 5 hits within 180 seconds, block them for 180 seconds.




[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux