nklb
Premium
join:2000-11-17
Ann Arbor, MI
clubs:
| How do I secure ssh to only allow 3login attempts?
I checked my ssh logs and I show a few different hosts over the last few days trying to brute force my SSH server.
How can I get the SSHD to only allow about 3 login attempts before no longer responding to a foreign host?
--
for all your Linux questions |
|
deblin
Dark Side of the Moon
Premium,MVM
join:2001-09-01
Middletown, DE
| Re: How do I secure ssh to only allow 3login attem
Most likely you could configure pam to do so. I'm not sure if OpenSSH's sshd can do that natively or not.
However, this is most likely related to the SSH Scanning, which you shouldn't worry about if you don't have weak usernames/passwords.
--
"I drank what?" -Socrates |
|
nklb
Premium
join:2000-11-17
Ann Arbor, MI
clubs:
| I have had lots of the generic scanning stuff lately as well, but in particular there are a couple of hosts who really hammered my box with hundreds of login attempts over a two hour or so period.
I think it would be a much more secure solution anyway to restrict the number of times a given ip can try to connect so that even if they do get the right username/pass eventually it wont do them any good.
--
for all your Linux questions |
|
deblin
Dark Side of the Moon
Premium,MVM
join:2001-09-01
Middletown, DE
| I don't think you can do so on a per-IP basis with sshd_config or pam. You could use iptables to limit the number of SYN packets destined for port 22 in a given interval from a host range, too.
The problem is, the pam module for login attempts is for the # of attempts for a particular login, e.g. 3 attempts in a row for userX. What you're looking for is something like that but from a particular source IP.
--
"I drank what?" -Socrates |
|
nklb
Premium
join:2000-11-17
Ann Arbor, MI
clubs:
| I found an option for the sshd config file at »www.gsp.com/cgi-bin/man.cgi?sect···d_config
MaxAuthTries Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. The default is 6.
--
for all your Linux questions |
|
deblin
Dark Side of the Moon
Premium,MVM
join:2001-09-01
Middletown, DE | Not in my "man sshd_config" on debian/sid, though it's using a relatively new OpenSSH. Have you tested it?
--
"I drank what?" -Socrates |
|
nklb
Premium
join:2000-11-17
Ann Arbor, MI
clubs:
| Just tested it and it does work, but because it is per connection it is easy enough for an attacker to just open up a 2nd connection after the 1st one fails and try again :-/
So still looking for a solution
--
for all your Linux questions |
|
deblin
Dark Side of the Moon
Premium,MVM
join:2001-09-01
Middletown, DE | So it is 3 attempts from the same source connection? E.g. it's tied to source port?
--
"I drank what?" -Socrates |
|
Happyrat
Google Is Your Best Friend
Premium
join:2002-07-01
Disneyland
| reply to nklb
Why not increase the delay between failed login attempts to something like 10 to 30 seconds? Then even if they try to brute force it it will take them about 10 years to hack a password...
--
Subtlety is wasted on the dense... »www.fuzzyrat.com |
|
nklb
Premium
join:2000-11-17
Ann Arbor, MI
clubs:
| reply to deblin
no, when a user tries to ssh in and they type a wrong password, they have an opportunity again to supply the right password. If they fail x number of times, they get disconnected. That was one session, and they could always start up another session simply by trying to connect again and they would have x number of attempts to guess the password again.
--
for all your Linux questions |
|
deblin
Dark Side of the Moon
Premium,MVM
join:2001-09-01
Middletown, DE
| ok, then it sounds like that option does what the pam login limits does as well. Which isn't what you want, of course.
What you really want it some sort of hook to use iptables (or whatever your firewall solutions is if this isn't Linux) to block connections from that IP after X number of failed attempts. I don't know of a generic solution for this, though. Hopefully someone can chime in with something.
--
"I drank what?" -Socrates |
|
Big_D
Premium
join:2003-06-02
Augusta, GA
| reply to nklb
Re: How do I secure ssh to only allow 3login attempts?
You might want to have a look at BFD. »www.webhostgear.com/60.html
I have been quite happy using the combo of BFD and APF.
--
You want the truth? You can't handle the truth! |
|
elboricua
El Subestimado
Premium
join:2001-08-12
Bronx, NY
| reply to nklb
Re: How do I secure ssh to only allow 3login attem
said by nklb  :I have had lots of the generic scanning stuff lately as well, but in particular there are a couple of hosts who really hammered my box with hundreds of login attempts over a two hour or so period. I think it would be a much more secure solution anyway to restrict the number of times a given ip can try to connect so that even if they do get the right username/pass eventually it wont do them any good. I think the easier solution for peace of mind would be to do the following in your sshd_config
1. implement ssh key authentication only. set the option PasswordAuthentication to no
2. limit the users who can login via ssh. Set the AllowUsers option to only those users who you want to have ssh access.
3. Most important set PermitRootLogin to no
4. and lastly make sure that you are only using protocol 2
--
Sending script kiddies to /dev/null since 1995! |
|
yock
TFTC
Premium
join:2000-11-21
Fairfield, OH
| reply to nklb
Re: How do I secure ssh to only allow 3login attempts?
As has been said, you would need to configure Pam to block an IP range after a specific number of failed attempts. Why not be more proactive about it and limit hat IP ranges even have access to the SSH daemon? This could easily be accomplished with either IPTables or TCP Wrappers.
To get the effect you're looking for at the top of this thread, you would have to lockout the accounts in question after a number of failed login attempts. This would necessitate that the accounts actually exist, and could potentially cause problems elsewhere. Ensure that accounts that don't require a shell are set WITHOUT a shell in /etc/passwd and any accounts that do need to be interactive are set with either strong passwords or (even better) PKA.
--
Statistical correlation need not imply causation.
Technical Nirvana |
|
TheLost
@comcast.n
| reply to nklb
Re: How do I secure ssh to only allow 3login attem
Well, the best method I can see at this time would be to use Iptables at this time and limit the number of NEW connections, like so:
iptables -A INPUT -i eth0 -p tcp --dport 22 -m limit --limit 2/m --limit-burst 2 -m state --state NEW -j ACCEPT
The --limit and --limit-burst can be adjusted as needed, depending on your needs for the system in question, you may want to change them to 1/m and 1, which would cause each attempt to take a minute of their time, so those 116 root login attempts alone would take 116 minutes, give or take.
For the braver ones, you could go so far as changing it to 1/h and 1, so that you can only connect to ssh once per hour, per IP......
Things to take into account are legitimate failed login attempts, connection issues and forgeting to get something done in your previous session.
In addition you can also gain some additional control using the following sshd settings:
KeepAlive no
MaxStartups 10
LoginGraceTime 60
ClientAliveInterval 60
ClientAliveCountMax 1
Adjust as desired. See man.
Ultimately it would be nice if SSHD gained a feature where you could have it deny an IP for a specified amount of time after a specified amount of failed login attempts.
Using account lockout would certainly be foolish, since you have no control over which accounts they will be trying and they can easily add more, which may simply result in you being locked out yourself.
Though only allowing a certain IP range and/or changing the port it's running on would work for some, in my case it is not an option, since I have customes using a a custom SSH interface.
So, until SSHD can handle it correctly Iptables appears to be the best option at this time. |
|
TheLost
@comcast.n
| reply to nklb
B.T.W. the Iptables suggestion will not prevent them from trying, but instead is designed to discourage them by lengthening the amount of time they will have to spend before the next attempt.
With PermitRootLogin set to no and stong passwords this is not a very serious threat, however these attempts can eat into your bandwidth and processing time as well as cuase your logs to swell. So, the ideal is to make it more uncomfortable for them. |
|
fritzmp
Biker Tux
Premium
join:2001-08-29
Warrenton, VA
clubs:
| reply to nklb
In the tips and tricks thread I posted, »Re: Little Known Tips and Tricks...
I also configure the router to only give access to known static IP's and the road warriors VPN clients with valid keys.
Pro SonicWall products are stupid simple and work extremely well. This too can be accomplished via FreeSwan and IPtables.
Time is money and their are proprietary products that do make life much easier.
My logs are full of attempts to port 22, but only the ones I have configured for access get the juice.
--
"We know the race is not to the swift nor the battle to the strong. Do you not think an angel rides in the whirlwind and directs this storm?" --John Page wrote to Thomas Jefferson |
|
alien9999999
Your Head Looks Nice
Premium
join:2002-05-21
B-3000
| reply to nklb
Re: How do I secure ssh to only allow 3login attempts?
how about filtering the offensive IPs out of your logs, then blocking those IPs from your box(es) permanently; then using ripe to report those IPs to their ISPs abuse department.
alternatively, something like this could be automated, after for example 20 connections to an unused port or failed authorization...
--
Alien is my name and headbiting is my game. |
|
nklb
Premium
join:2000-11-17
Ann Arbor, MI
clubs:
| reply to TheLost
Re: How do I secure ssh to only allow 3login attem
It seems that SSHD itself doesnt offer this functionality (if I knew more about coding I would add it myself and give back to the community :-/)
The IPtables solution suggested seems to more than adequately do what I need, so thank you for the help everyone
--
for all your Linux questions |
|
