Limiting Login Attempts
Hey All,
I use SSH on my server to upload remotely, and I use LogWatch to monitor the logs. Over the last week or so i've been getting about 600 root login attempts a day from some guy in korea. (Ive been changing the password a lot). I googled for this and tried out a tutorial on pam_tally, and my /etc/pam.d/sshd has this: Code:
auth required /lib/security/pam_tally.so onerr=fail no_magic_root So how can I limit the number of logins in one day/week/hour/whatever? Thanks in advance, Chester |
This is a *BAD* idea. (Explained below). Instead, add
Code:
PermitRootLogin no Here's why this is bad: what pam_tally does, as I understand it, is to lock the account. Then even *you* can't get in as root. I don't think that's what you want. :) If you have more questions, I'd be happy to answer them. |
I agree on the not permitting remote root login, but here is an additional thought.
You could run ssh on a different port. If the guy is stupid enough, he won't detect that you've simply changed which port you run sshd on. This can be done by editing the /etc/ssh/sshd_config file, find the line that reads: #Port 22 Remove the #, and change the port number. This runs sshd on port 2222: Port 2222 Be sure to restart sshd after you do this. You can also specify it as many times as you like, if you want to run sshd on multiple ports: Port 1232 Port 4563 I manage several servers, and I have found that attempts like this are common. I imagine that a lot of ssh brute force tools only look at port 22 on a network address, and if there is no responce from that port, it moves on to try to hack someone else, because this isn't nearly as frequent on systems in which SSH isn't running on port 22. Now the more ambitious bot will portscan and do brute ssh on any port it finds ssh to be running on, and simply changing the port sshd runs on won't stop these bots, but I believe doing this will still cut out a big chunk of the number of bots out there try to brute force their way into your system. |
That is also a possibility, though I prefer to leave services running on their well known port. Mostly a personal/choice thing. If the rest of your security is good enough, you should be fine either way.
|
Thanks for the suggestions, I forgot about PermitRootLogin... Just for my reference however, is there a way to block login attempts (besides pam_tally) for say a normal user just for some extra security? Its not that important
Thanks again, Chester |
You can give the user the nologin shell:
Code:
usermod -s /sbin/nologin USER Code:
passwd -l USER |
Well, let's not forget about the 'AllowGroups' directive in sshd. In my sshd_config, I have "AllowGroups sshusers" and have a group sshusers to which I have added all users I want to be able to use ssh. I do NOT use this as a primary group, only secondary, but I think it's easier than disabling users. Just like a firewall: deny everything, then allow what you need in.
|
All times are GMT -5. The time now is 01:34 AM. |