On Thu, 30 Sep 2004 20:20:59 -0400 Ralph Katz <[EMAIL PROTECTED]> wrote:
> > From: Jacob S ([EMAIL PROTECTED]) > > Subject: SSH Cracking Attempts > > <snip - problems with crackers looking for weak username/password combinations> > > The closest I've come to finding something that would help is this, > but I don't know how to apply this to Debian: > > http://lists.sans.org/pipermail/list/2004-July/061242.html > > >> Is there any way I can lock out a account/machine after a certain > >number of > failed login attempts via ssh ? > >> similar to what happends on the console of a *nix box or the > >windows login > screen > > > > You haven't said what OS. If it uses pam, then you'll have to swat > > up on pam. Have a look at the pam_tally module; on my RH RHAS3 > > machines, the docs are in /usr/share/doc/pam-0.75/html. You'd modify > > /etc/pam.d/sshd or /etc/pam.d/system-auth on a RedHat 8, 9 or ES > > installation. > > > > Example: Add the following to /etc/pam.d/(sshd|system-auth): > > > > account required /lib/security/$ISA/pam_tally.so onerr=fail > > file=/var/log/faillog deny=3 no_magic_root even_deny_root_account > > > > Reset failed logins (cron!) with /sbin/pam_tally. > > > > I can't find anything relevant on pam or /etc/ssh/sshd_config. Sure, > there is denying root logins, RhostsRSAAuthentication for known hosts, > > hosts allow and hosts deny, but those solutions address different > situations. But your question remains key for me: > > > Is there a way to tell ssh to refuse > > connections from an ip address after a certain number of failed > > login attempts, > > Or to send it to a tarpit? > > Any ideas? > > Oh, you can report attacks at > http://www.dshield.org/ and get more info. Excellent, Ralph. Thanks! I did a little bit of playing around with this on one of the machines inside my network before using it on my public server, just to be safe. :-) Doing a google search on 'pam_tally cron' turned up some nice results, thanks to your links. I added the two following lines to /etc/pam.d/ssh as partially referenced in one of your links, though I think the second line may be the only one needed: auth required /lib/security/pam_tally.so onerr=fail no_magic_root account required /lib/security/pam_tally.so file=/var/log/faillog deny=3 no_magic_root even_deny_root_account reset Each of those should be on a single line, but my mailer wrapped them due to length. I also found the following links, that may be of some help: http://www.baverstock.org.uk/tim/pam/ http://cvs.sourceforge.net/viewcvs.py/pam/Linux-PAM/modules/pam_tally/README?rev=1.2 http://www.linuxquestions.org/questions/showthread.php?s=&postid=1107789#post1107789 These do a great job of locking down an account while it's under attack. The unfortunate part is that it simply locks down that account, instead of only locking it when the user is coming from the offending ip. Also, just because an account (say 'fred') has been locked by an offender on ip 123.123.456.456, that does not keep that same ip from successfully logging into the same machine as user 'george', if they know the right password and get it within the specified number of tries. There are pros to this as well, but overall I think they're mainly cons. At this point I'm thinking tarpitting may provide the more thorough yet tailored approach, but I'm still in the process of doing research on it. And, depending on how it works, these two different approaches may be worth using in parallel. Thanks again, Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
