Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 8 Oct 2004 11:25:10 +0100 (BST)
From:      "Daniel Bye" <dan@slighytlystrange.org>
To:        freebsd-questions@freebsd.org
Subject:   Re: Protecting SSH from brute force attacks
Message-ID:  <65066.154.8.22.73.1097231110.squirrel@154.8.22.73>
In-Reply-To: <20041008074451.37565.qmail@web54004.mail.yahoo.com>
References:  <20041008074451.37565.qmail@web54004.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Fri, 8 October, 2004 8:44 am, spam maps said:
> Vulpes Velox wrote:
>> On Thu, 7 Oct 2004 15:15:25 -0700 (PDT) Luke <luked@pobox.com> wrote:
>>
>>> There are several script kiddies out there hitting my SSH server
>>> every day.  Sometimes they attempt to brute-force their way in
>>
>> man login.conf for more info :)
>
> I'm just guessing, but are you trying to tell me that "login-retries" in
> login.conf is useful?
>
> I have tried that by setting it to 2, but it seems to have no effect on
> the sshd login behaviour. I always can try the password 6 times:
>
> $ ssh myname@my.own.pc
> Password:
> Password:
> Password:
> myname@my.own.pc's password:
> Permission denied, please try again.
> myname@my.own.pc's password:
> Permission denied, please try again.
> myname@my.own.pc's password:
> Permission denied (publickey,password,keyboard-interactive).
> $
>
> So could you be a little more specific as to where login.conf is of help
> here?

This is still only one *connection* - sshd will offer you (or anyone else
who can connect) a certain number of chances to prove your identity. 
Login.conf can't help with this.  You can configure sshd to stop offering
the keyboard-interactive auth method - set

ChallengeResponseAuthentication no

in /etc/ssh/sshd_config and HUP the daemon.  You will no longer see the
first three Password: prompts.

Login.conf can help you to limit the number of successive login attempts. 
Make sure you run "cap_mkdb /etc/login.conf" whenever you edit the file,
or you will not enable your changes.

Dan

-- 
Daniel Bye

PGP Key: ftp://ftp.slightlystrange.org/pgpkey/dan.asc
PGP Key fingerprint: 3B9D 8BBB EB03 BA83 5DB4 3B88 86FC F03A 90A1 BE8F
                                                                     _
                                              ASCII ribbon campaign ( )
                                         - against HTML, vCards and  X
                                - proprietary attachments in e-mail / \

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?65066.154.8.22.73.1097231110.squirrel>