LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-31-2006, 03:37 PM   #1
babysparrow
Member
 
Registered: Nov 2005
Location: Worcestershire,UK
Distribution: Fedora Core 3,4,5 ; ububtu 8.10 ; slax6
Posts: 69

Rep: Reputation: 15
Protect server from brute force attack via ssh


My /var/log/messages shows repeated sustained brute force attacks are occuring on a regular basis.

I am frustrated that I cannot stop ssh from gleefully accepting repeated login attempts from the same ip despite hundreds of failures.

Is there no way that I can change the config (perhaps in /etc/ssh/ssh_config) to allow only three (say) failed attempts from the same ip ?

Or is there some other way to deal with this ?

(I thought SE Linux might do something about this - but I've had a lazy shuffle around there and it does not seem to)
 
Old 03-31-2006, 03:42 PM   #2
Caeda
Senior Member
 
Registered: Jul 2003
Location: Indiana
Distribution: Suse 6.0+, Mandrake 5.0-10.0, Redhat 6.0-9.0, Gentoo 1.2+, Gnoppix, Knoppix, Sabayon, Ubuntu 5.04+
Posts: 1,811

Rep: Reputation: 45
You mean something like the command in the help files...

ip ssh authentication-retries retryLimit

which you just have to type in?
 
Old 03-31-2006, 03:52 PM   #3
babysparrow
Member
 
Registered: Nov 2005
Location: Worcestershire,UK
Distribution: Fedora Core 3,4,5 ; ububtu 8.10 ; slax6
Posts: 69

Original Poster
Rep: Reputation: 15
Thanks Caeda, I don't have a cisco router. I'm using a netgear DG814 dsl modem/router and really need some way to get FC4 to do the work itself.

I've probably missed something here again - sorry to appear a bit stupid.
 
Old 03-31-2006, 03:54 PM   #4
int0x80
Member
 
Registered: Sep 2002
Location: Cincinnati
Distribution: Debian GNU/Linux
Posts: 310

Rep: Reputation: 31
Well there is this (sticky) link -- http://www.linuxquestions.org/questi...d.php?t=340366
Also you can just run your SSH daemon on a different port. I haven't had one log of SSH brute force since I changed the port OpenSSH listens on.
 
Old 03-31-2006, 04:02 PM   #5
babysparrow
Member
 
Registered: Nov 2005
Location: Worcestershire,UK
Distribution: Fedora Core 3,4,5 ; ububtu 8.10 ; slax6
Posts: 69

Original Poster
Rep: Reputation: 15
Thanks int0x80. Problem with that one is that if I change the default port, then I won't be able to access it myself from some of my client sites - or at least it would require a firewall change to do so (and that ain't gonna happen).

I'm just griping now, but I can't believe that ssh2.0 has no built in mechanism to at least try to deal with this. Well never mind.
 
Old 03-31-2006, 04:15 PM   #6
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD
Posts: 2,004

Rep: Reputation: 304Reputation: 304Reputation: 304Reputation: 304
Quote:
Originally Posted by babysparrow
Is there no way that I can change the config (perhaps in /etc/ssh/ssh_config) to allow only three (say) failed attempts from the same ip ?
www.google.com ... enter "denyhosts" ... first hit!

[edit] Here are the DenyHosts features: http://denyhosts.sourceforge.net/features.html [/edit]

Last edited by haertig; 03-31-2006 at 04:17 PM.
 
Old 03-31-2006, 09:00 PM   #7
michaelsanford
Member
 
Registered: Feb 2005
Location: Ottawa/Montréal
Distribution: Slackware + Darwin (MacOS X)
Posts: 468

Rep: Reputation: 30
Quote:
Originally Posted by babysparrow
Is there no way that I can change the config (perhaps in /etc/ssh/ssh_config) to allow only three (say) failed attempts from the same ip ?
There are a few ways. Assuming you are either the only one who logs in, or you have a small group, briefly:

a) sshd_config > MaxAuthTries 1
b) sshd_config > PasswordAuthentication no

(a) will reduce the number of attempts that the brute machine can make on any single connection attempt.
(b) will force the client (you) to use public-key authentication and will automatically deny the user access if he doesn't have a valid public key. There's a how-to here for that.

Then, probably the best for your situation
(c) sshd_config > HostbasedAuthentication yes

Check the manpage for that last one. Basically it will only even bother to try to get credentials from a user who is connecting from a particular set of pre-defined hosts and drop everyone else.

There are also firewall rules you can implement for this that will limit the number of attempts on a given port in a given amount of time. If you set something like -m limit --limit 5/m --limit-burst 5 -j REJECT you're telling the firewall to reject the packet if more than 5 per minute come in. You'd have to set a really long interval like this for it to make any difference. BUT you probably don't want to do that! Why? Well, what if YOU try to log in once the limit is reached? You won't be able to until the firewall timer has expired. Now, what if your attacker continues his attack for hours? You can't log in until he finishes his attack, which, if it's brute-force automated set-then-go-to-bed, it could be hours. If it's from Sing., like mine all have been, he'll be sleeping while you're on the clock at work. Not a good combo.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh brute force, how do they work? galle Linux - Security 3 03-10-2006 06:58 AM
Brute Force... Cottsay Linux - Software 1 03-02-2006 03:58 PM
Brute-force attack - How can I assess the damage? thew00t Linux - Security 4 09-27-2005 06:08 PM
How did the NASA get hacked, was it just a brute force attack? abefroman Linux - Security 2 05-18-2005 05:33 AM
SSH brute force.... compromised? heri0n Linux - Security 15 11-21-2004 05:51 PM


All times are GMT -5. The time now is 09:30 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration