OS and Software > All Things Unix > How do I secure ssh to only allow 3login attempts?

reply to nklb

Re: How do I secure ssh to only allow 3login attem

I have had lots of the generic scanning stuff lately as well, but in particular there are a couple of hosts who really hammered my box with hundreds of login attempts over a two hour or so period.

I think it would be a much more secure solution anyway to restrict the number of times a given ip can try to connect so that even if they do get the right username/pass eventually it wont do them any good.
--
for all your Linux questions

I don't think you can do so on a per-IP basis with sshd_config or pam. You could use iptables to limit the number of SYN packets destined for port 22 in a given interval from a host range, too.

The problem is, the pam module for login attempts is for the # of attempts for a particular login, e.g. 3 attempts in a row for userX. What you're looking for is something like that but from a particular source IP.
--
"I drank what?" -Socrates

I found an option for the sshd config file at »www.gsp.com/cgi-bin/man.cgi?sect···d_config

MaxAuthTries Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. The default is 6.
--
for all your Linux questions

Not in my "man sshd_config" on debian/sid, though it's using a relatively new OpenSSH. Have you tested it?
--
"I drank what?" -Socrates

Just tested it and it does work, but because it is per connection it is easy enough for an attacker to just open up a 2nd connection after the 1st one fails and try again :-/

So still looking for a solution
--
for all your Linux questions

So it is 3 attempts from the same source connection? E.g. it's tied to source port?
--
"I drank what?" -Socrates

no, when a user tries to ssh in and they type a wrong password, they have an opportunity again to supply the right password. If they fail x number of times, they get disconnected. That was one session, and they could always start up another session simply by trying to connect again and they would have x number of attempts to guess the password again.
--
for all your Linux questions

ok, then it sounds like that option does what the pam login limits does as well. Which isn't what you want, of course.

What you really want it some sort of hook to use iptables (or whatever your firewall solutions is if this isn't Linux) to block connections from that IP after X number of failed attempts. I don't know of a generic solution for this, though. Hopefully someone can chime in with something.
--
"I drank what?" -Socrates

reply to nklb