Ralph Katz wrote:
On 08/18/04 21:13, Alvin Oga wrote:
i assume you have enabled tcp_wrappers on sshd ??
and for more fun, you can put sshd logins into their own chroot jails
That's a good suggestion for a different situation, thanks.
I want to enable FAIL_DELAY, if that's possible, to make the host less attractive to attackers and lower the overhead fending off login probes.
So, how can FAIL_DELAY be enabled for ssh? Or is it just unavailable to sshd?
Take a look at the pop-before-smtp package.
It scans the system mail log looking for sucessful imap/pop3 logins and enables mail relaying from those addresses for a short time. A similar approach could be used to block traffic altogether from wannabees. Look for messages like these:
Sep 20 20:12:45 kowari sshd[2545]: error: PAM: Authentication failure for summer from dolphin.demo.room
Sep 20 20:12:45 kowari sshd[2545]: Failed keyboard-interactive/pam for summer from 192.168.9.114 port 36635 ssh2
Sep 20 20:12:47 kowari sshd[2545]: Failed password for summer from 192.168.9.114 port 36635 ssh2
It would be reasonable to drop all traffic from such an address for a while: an hour would probably be adequate. You could also perhaps think of dropping the whole class C.
--
Cheers John
-- spambait [EMAIL PROTECTED] [EMAIL PROTECTED] Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
