Date: Fri, 08 Oct 2004 06:05:37 -0500 From: Chris <racerx@makeworld.com> To: Daniel Bye <dan@slighytlystrange.org> Cc: freebsd-questions@freebsd.org Subject: Re: Protecting SSH from brute force attacks Message-ID: <41667481.9040800@makeworld.com> In-Reply-To: <65066.154.8.22.73.1097231110.squirrel@154.8.22.73> References: <20041008074451.37565.qmail@web54004.mail.yahoo.com> <65066.154.8.22.73.1097231110.squirrel@154.8.22.73>
next in thread | previous in thread | raw e-mail | index | archive | help
Daniel Bye wrote:
> On Fri, 8 October, 2004 8:44 am, spam maps said:
>
>>Vulpes Velox wrote:
>>
>>>On Thu, 7 Oct 2004 15:15:25 -0700 (PDT) Luke <luked@pobox.com> wrote:
>>>
>>>
>>>>There are several script kiddies out there hitting my SSH server
>>>>every day. Sometimes they attempt to brute-force their way in
>>>
>>>man login.conf for more info :)
>>
>>I'm just guessing, but are you trying to tell me that "login-retries" in
>>login.conf is useful?
>>
>>I have tried that by setting it to 2, but it seems to have no effect on
>>the sshd login behaviour. I always can try the password 6 times:
>>
>>$ ssh myname@my.own.pc
>>Password:
>>Password:
>>Password:
>>myname@my.own.pc's password:
>>Permission denied, please try again.
>>myname@my.own.pc's password:
>>Permission denied, please try again.
>>myname@my.own.pc's password:
>>Permission denied (publickey,password,keyboard-interactive).
>>$
>>
>>So could you be a little more specific as to where login.conf is of help
>>here?
>
>
> This is still only one *connection* - sshd will offer you (or anyone else
> who can connect) a certain number of chances to prove your identity.
> Login.conf can't help with this. You can configure sshd to stop offering
> the keyboard-interactive auth method - set
>
> ChallengeResponseAuthentication no
>
> in /etc/ssh/sshd_config and HUP the daemon. You will no longer see the
> first three Password: prompts.
>
> Login.conf can help you to limit the number of successive login attempts.
> Make sure you run "cap_mkdb /etc/login.conf" whenever you edit the file,
> or you will not enable your changes.
>
> Dan
>
In addition, if you use ipfw, do something like this:
# Allow in SFTP, SSH, and SCP from public Internet
${fwcmd} add 090 pass log tcp from xxx.xxx.xxx.xxx/xx to ${ip} 22 setup
limit src-addr 4
This simply allows ssh access to a certain subnet etc. In addition, the
limit src-addr 4 allows only 4 connects etc.
--
Best regards,
Chris
The most important item in an order will no longer
be available.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41667481.9040800>