republican-creole
site Search:


Home Reviews Tools Forums FAQs Find Service ISP News Maps About  
 
    All Forums Hot Topics Gallery






how-to block ads

  
Forums >

OS and Software > All Things Unix > How do I secure ssh to only allow 3login attempts?

Search Topic:
 Share Topic
Posting?
Post a:
Post a:
Links: ·Forum FAQ ·Attitude Adjustment ·Linux docs ·DistroWatch ·OPLM ·FreeBSD Handbook
AuthorAll Replies


TheLost

@enmar01.ar.comcast.n

reply to nklb

Re: How do I secure ssh to only allow 3login attem

Well, the best method I can see at this time would be to use Iptables at this time and limit the number of NEW connections, like so:

iptables -A INPUT -i eth0 -p tcp --dport 22 -m limit --limit 2/m --limit-burst 2 -m state --state NEW -j ACCEPT

The --limit and --limit-burst can be adjusted as needed, depending on your needs for the system in question, you may want to change them to 1/m and 1, which would cause each attempt to take a minute of their time, so those 116 root login attempts alone would take 116 minutes, give or take.

For the braver ones, you could go so far as changing it to 1/h and 1, so that you can only connect to ssh once per hour, per IP......

Things to take into account are legitimate failed login attempts, connection issues and forgeting to get something done in your previous session.

In addition you can also gain some additional control using the following sshd settings:

KeepAlive no
MaxStartups 10
LoginGraceTime 60
ClientAliveInterval 60
ClientAliveCountMax 1

Adjust as desired. See man.

Ultimately it would be nice if SSHD gained a feature where you could have it deny an IP for a specified amount of time after a specified amount of failed login attempts.

Using account lockout would certainly be foolish, since you have no control over which accounts they will be trying and they can easily add more, which may simply result in you being locked out yourself.

Though only allowing a certain IP range and/or changing the port it's running on would work for some, in my case it is not an option, since I have customes using a a custom SSH interface.

So, until SSHD can handle it correctly Iptables appears to be the best option at this time.
to forum · permalink · 2005-02-08 15:53:03 ·


nklb
Premium
join:2000-11-17
Ann Arbor, MI
kudos:2

It seems that SSHD itself doesnt offer this functionality (if I knew more about coding I would add it myself and give back to the community :-/)

The IPtables solution suggested seems to more than adequately do what I need, so thank you for the help everyone
--
for all your Linux questions

to forum · permalink · 2005-02-09 16:31:57 ·
Forums > OS and Software > All Things Unix

Sunday, 27-May 13:04:21 Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo
over 12.5 years online © 1999-2012 dslreports.com.
Most commented news this week
Hot Topics