LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 08-17-2005, 06:25 AM   #1
pixie
Member
 
Registered: Aug 2003
Distribution: Mageia, Centos, CloudLinux
Posts: 35

Rep: Reputation: 17
Failed login > wait ten minutes etc


Hi,
Am looking for a way to delay failed logins after three attempts using ssh.
So, a user /hacker enters a failed password and on the fourth attempt they have to wait x minutes or whatever before they can try again.
Is there a script available or an existing file i can edit to achieve this?

Last edited by pixie; 08-17-2005 at 06:27 AM.
 
Old 08-17-2005, 01:08 PM   #2
Vgui
Member
 
Registered: Apr 2005
Location: Canada
Distribution: Slackware
Posts: 496

Rep: Reputation: 31
http://www.ssh.com/support/documenta...tion_File.html
^-- Might have some ideas

Basically though there are a few options (don't know the exact names off the top of my head) that allow you to set the number of failed logins allowed, timeouts, etc. All this is done through your sshd_config file (normally in /etc/).
 
Old 08-17-2005, 02:52 PM   #3
pixie
Member
 
Registered: Aug 2003
Distribution: Mageia, Centos, CloudLinux
Posts: 35

Original Poster
Rep: Reputation: 17
Thanks, will check it out.
 
Old 08-17-2005, 04:01 PM   #4
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,005
Blog Entries: 11

Rep: Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903
That won't help you :}

ssh (by itself) doesn't provide means to achieve this,
but you could have a look at the varied tools mentioned
in the sticky thread on ssh attacks.

At least one of the tools allows blocking-times in the
minute region, others could easily enough be modified
to accommodate that.



Cheers,
Tink
 
Old 08-17-2005, 04:10 PM   #5
Vgui
Member
 
Registered: Apr 2005
Location: Canada
Distribution: Slackware
Posts: 496

Rep: Reputation: 31


On my system /etc/ssh/sshd_config contains such options as:
Code:
LoginGraceTime 2m
MaxAuthTries 3
etc.
And those won't help? :}
 
Old 08-17-2005, 04:13 PM   #6
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,005
Blog Entries: 11

Rep: Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903
Not really... read again what he's asking for.


Cheers,
Tink
 
Old 08-17-2005, 04:17 PM   #7
Vgui
Member
 
Registered: Apr 2005
Location: Canada
Distribution: Slackware
Posts: 496

Rep: Reputation: 31
The link may be useless but everything I said was true / helpful / useable.
 
Old 08-17-2005, 04:36 PM   #8
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,005
Blog Entries: 11

Rep: Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903
How? Really, he just (hopefully) got somewhat more
familiar with the ssh basic configuration, but by no means
did that document or your comments help him in
achieving his goal... ;}


Cheers,
Tink
 
Old 08-17-2005, 04:50 PM   #9
Vgui
Member
 
Registered: Apr 2005
Location: Canada
Distribution: Slackware
Posts: 496

Rep: Reputation: 31
Glad to see you are helping out too

@pixie: You might want to look into FAIL_DELAY and it's alternatives. Here are a couple posts I dug up on the topic:
http://marc.theaimsgroup.com/?l=open...8735306428&w=2
http://lists.debian.org/debian-user/.../msg07107.html

It doesn't seem like FAIL_DELAY is implemented in the non-commercial ssh, but you could possibly use pam or tcpwrappers to get around this.
Also, play around with lowering the LoginGraceTime value to stop failed connections from piling up.

Another option entirely is to block the offending IP address if they fail a certain number of times.

Last edited by Vgui; 08-17-2005 at 04:51 PM.
 
Old 08-17-2005, 05:30 PM   #10
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,005
Blog Entries: 11

Rep: Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903
Quote:
Originally posted by Vgui
Glad to see you are helping out too :rolleyes:
Anytime. Did you actually read that entire sticky?
http://denyhosts.sourceforge.net/
for instance does EXACTLY what that fella wants,
it breaks the block-time down to minutes.

And yes, it actually makes use of your clever suggestion
to use the tcpwrappers. :rolleyes:


Cheers,
Tink
 
Old 08-18-2005, 02:52 AM   #11
pixie
Member
 
Registered: Aug 2003
Distribution: Mageia, Centos, CloudLinux
Posts: 35

Original Poster
Rep: Reputation: 17
Thankyou for ALL the replies. Not sure why one or two of you seem to get upset by some of the replies to my question, perhaps a "chill pill" is needed? LOL.
I did look around the forum first but most of the possible answers revolved around blocking / banning IPs which is not what i want to do. The denyhosts app would seem to cover my needs but is a litte "over the top" or bloated. However i think i can adjust it to get what i am after if nothing else comes up.
Thanks for the help and advice.
 
Old 08-18-2005, 03:54 AM   #12
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,005
Blog Entries: 11

Rep: Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903
Well, the thing is that ssh DOESN'T have the facility,
you have to work around it somehow. Denyhost (with
the expiry set to 10 minutes) may well give you the
desired effect, or what did you expect to happen when
a connection attempt is made in those 10 minutes?

The next alternative would be to edit the sshd source
to your hearts content and add that nifty feature yourself :}


Cheers,
Tink
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh login takes several minutes exodist *BSD 10 05-26-2005 04:17 PM
X login is slow, takes 2 minutes jhcatch22 Linux - Newbie 3 07-08-2004 01:33 AM
My Athlon System hangs after 5 minutes when i login to redhat 8 keshif Linux - Hardware 12 03-03-2004 02:12 PM
Failed to lock file /var/spool/cron/root after 5 minutes teeno Linux - Software 0 09-24-2003 03:49 AM
Login Failed gmiles Linux - Newbie 6 08-23-2002 04:16 PM


All times are GMT -5. The time now is 08:09 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration