you can already use fail2ban to accomplish this kind of thing.
the original idea i think is somewhat terrible in a multi-user
enterprise-y kind of environment since you'll wind up telling users that
they have to wait 2 seconds before entering their passphrase
constantly. for your home server it might work, but you can always
setup public keys or OTP pretty easily as well, in addition to fail2ban.
you can also use pam_tally to only allow 6 failed passwords in a row
before locking the account. i run the cronjob to unlock all the
accounts every 30 mins or so, which only allows a velocity of 12 guess
per hour on a single account, while not requiring users with locked
accounts to call up a helpdesk.
On 3/31/11 11:24 AM, Joseph Spenner wrote:
--- On Wed, 3/30/11, nagygabor88<nagygabor88@xxxxxxxx> wrote:
From: nagygabor88<nagygabor88@xxxxxxxx>
Subject: a GOOD idea to harden OpenSSH!
To: "OpenSSH list"<secureshell@xxxxxxxxxxxxxxxxx>
Date: Wednesday, March 30, 2011, 12:19 PM
if a user wants to connect to an ssh server then he have to
wait a couple of seconds, then he can write his passphare.
the "couple of seconds" is defined in the sshd config,
e.g.: 2 seconds
the method musn't show that the user have to wait 2 seconds
to write his passphare.
This can already be similarly done using iptables, with entries such as:
$IPTABLES -N SSH_CHECK
$IPTABLES -I INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
$IPTABLES -A SSH_CHECK -m recent --set --name SSH
$IPTABLES -A SSH_CHECK -m recent --update --seconds 180 --hitcount 5 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
$IPTABLES -A SSH_CHECK -m recent --update --seconds 180 --hitcount 5 --rttl --name SSH -j DROP
What this does: If I get more than 5 hits within 180 seconds, block them for 180 seconds.
