LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Limiting Login Attempts (https://www.linuxquestions.org/questions/linux-security-4/limiting-login-attempts-324108/)

chesp3 05-16-2005 02:42 PM
Limiting Login Attempts
 
Hey All,

I use SSH on my server to upload remotely, and I use LogWatch to monitor the logs. Over the last week or so i've been getting about 600 root login attempts a day from some guy in korea. (Ive been changing the password a lot). I googled for this and tried out a tutorial on pam_tally, and my /etc/pam.d/sshd has this:

Code:
auth      required    /lib/security/pam_tally.so onerr=fail no_magic_root
account    required    /lib/security/pam_tally.so per_user deny=3 no_magic_root reset
But I still have a couple hundred root logins, so i'm guessing this tally thing really isn't working of the config is wrong.

So how can I limit the number of logins in one day/week/hour/whatever?

Thanks in advance,

Chester

Matir 05-16-2005 06:52 PM
This is a *BAD* idea. (Explained below). Instead, add
Code:
PermitRootLogin no
into your sshd_config file (usually /etc/ssh/sshd_config).

Here's why this is bad: what pam_tally does, as I understand it, is to lock the account. Then even *you* can't get in as root. I don't think that's what you want. :)

If you have more questions, I'd be happy to answer them.

cormander 05-16-2005 07:18 PM
I agree on the not permitting remote root login, but here is an additional thought.

You could run ssh on a different port. If the guy is stupid enough, he won't detect that you've simply changed which port you run sshd on.

This can be done by editing the /etc/ssh/sshd_config file, find the line that reads:

#Port 22

Remove the #, and change the port number. This runs sshd on port 2222:

Port 2222

Be sure to restart sshd after you do this.

You can also specify it as many times as you like, if you want to run sshd on multiple ports:

Port 1232
Port 4563

I manage several servers, and I have found that attempts like this are common.

I imagine that a lot of ssh brute force tools only look at port 22 on a network address, and if there is no responce from that port, it moves on to try to hack someone else, because this isn't nearly as frequent on systems in which SSH isn't running on port 22.

Now the more ambitious bot will portscan and do brute ssh on any port it finds ssh to be running on, and simply changing the port sshd runs on won't stop these bots, but I believe doing this will still cut out a big chunk of the number of bots out there try to brute force their way into your system.

Matir 05-16-2005 07:31 PM
That is also a possibility, though I prefer to leave services running on their well known port. Mostly a personal/choice thing. If the rest of your security is good enough, you should be fine either way.

chesp3 05-16-2005 08:08 PM
Thanks for the suggestions, I forgot about PermitRootLogin... Just for my reference however, is there a way to block login attempts (besides pam_tally) for say a normal user just for some extra security? Its not that important

Thanks again,

Chester

cormander 05-16-2005 08:13 PM
You can give the user the nologin shell:

Code:
usermod -s /sbin/nologin USER
Or you can disable their password:

Code:
passwd -l USER

Matir 05-16-2005 09:18 PM
Well, let's not forget about the 'AllowGroups' directive in sshd. In my sshd_config, I have "AllowGroups sshusers" and have a group sshusers to which I have added all users I want to be able to use ssh. I do NOT use this as a primary group, only secondary, but I think it's easier than disabling users. Just like a firewall: deny everything, then allow what you need in.


All times are GMT -5. The time now is 01:34 AM.