Re: a GOOD idea to harden OpenSSH!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sunday, April 03, 2011 12:17:55 pm Lamont Granquist wrote:
> you can already use fail2ban to accomplish this kind of thing.
> 
> the original idea i think is somewhat terrible in a multi-user
> enterprise-y kind of environment since you'll wind up telling users that
> they have to wait 2 seconds before entering their passphrase
> constantly.  for your home server it might work, but you can always
> setup public keys or OTP pretty easily as well, in addition to fail2ban.
> 
> you can also use pam_tally to only allow 6 failed passwords in a row
> before locking the account.  i run the cronjob to unlock all the
> accounts every 30 mins or so, which only allows a velocity of 12 guess
> per hour on a single account, while not requiring users with locked
> accounts to call up a helpdesk.
> 
I've had good experiences with bfd[1] which scans logs for invalid login 
attempts per user, after X attempts, the ip is banned. The length of the ban 
is variable (30 minutes was good enough to stop repeated attacks). 

Bonus, it kept the logs clean.

Mike

http://www.rfxn.com/projects/brute-force-detection/
-- 
To the systems programmer, users and applications serve only to provide a
test load.


[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux