SSHD: Lockout IP address after xxx failed authentication attempts
Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
SSHD: Lockout IP address after xxx failed authentication attempts
What are good ways to accomplish this? I wrote my own script to do this years ago, but I'm now investigating if there is a better "standard" method.
My SSHD setup only allows pubkey authentication. No other methods. So I have in my sshd_config (partial listing of the contents):
Code:
ChallengeResponseAuthentication no
PasswordAuthentication no
KerberosAuthentication no
RSAAuthentication no
RhostsRSAAuthentication no
HostbasedAuthentication no
GSSAPIAuthentication no
PubkeyAuthentication yes
UsePAM yes
I am no expert on PAM (far from it!), but can I still use pam_faillock to lockout accounts given the above? I'm not sure because both PasswordAuthentication and ChallengeResponseAuthentication are set to no, and I'm not sure PAM has any knowledge of PubkeyAuthentication.
But what I really want to do is lockout the incoming IP address that is trying to authenticate (not the user account) after 3 failed authentication attempts, but then automatically restore the ability of that IP to attempt to login after one hour. I don't know if PAM can lockout IPs (as opposed to accounts), nor do I know if it can automatically unlock them after a set length of time. So PAM may not be the answer. PAM is quite complex and I just have never taken the time to learn it other than a basic understanding of some of the simpler things it can do.
Anyway, this is not urgent since I have a script (actually, a set of scripts) that does all this already. I'm just wondering if there is a more standard method than my homegrown one.
I would, quite frankly, avoid the situation entirely: use digital certificates with ssh, and prohibit the use of password login.
If you are a possessor of the specified key (and passphrase), then you can log in without further ado: no password prompt is required, because the credentials you have presented are far stronger than any "magic word." If the key is compromised, simply invalidate the key.
It's senseless to allow anyone on the Internet to "present a password" to your system.
They can't present a password to my system, since it only allows pubkey authentication. So I'm covered there.
But I like multiple layers of security. While allowing only one single user (me!) access to the system (via AllowUsers in sshd_config), and only allowing pubkey authentication, I think the system is already pretty secure. I have no other tcp LISTEN'ers running, except for CUPS, and that is only on the localhost adapter. But this SSHD setup is only ONE layer - all based on the sshd_config file. As another layer, locking out IPs that fail to authenticate just provides that much more protection. Say if I were to somehow accidently screw up my sshd_config file during editing one day, this extra layer of IP lockout might save my butt.
Thanks! Now that you mention it, I have heard of Fail2Ban before. I googled it, found a Wiki page, and that page also had a link to another similar program, DenyHosts.
I am researching these two now. They appear similar to my homegrown scripting, except they appear to parse logfiles to determine failed login attempts whereas my homegrown thing integrates with SSH in realtime (using linkage via /etc/ssh/sshrc). Don't know which method is better, but I'll do some research on these alternate programs. Thanks again.
You don't need to test, but since you expressed some interest, below is my "homegrown method" that I posted about years ago. Still works fine, I was just researching to see if someone came up with a better way since then. Generally, a "standard" program would be preferable to my homegrown method. But I guess every program is initially a "homegrown method".
BTW, subsequent to the above post describing my method, I implemented a simple cron job to clear out IP addresses that had been banned after a certain length of time. That cron job just edited /etc/hosts.allow and removed dated entries.
Depending on your circumstance, you REALLY don't want to do that.
Especially if you support multiple users.
You could get many connection attempts from one system, each from a different user. Locking out that system would lock out all users, even those that have not had a failure...
It could even be a DOS..
The technique is fairly useful for web servers as the connecting host will most often be a single system. But a generic service like ssh is used for copying files from server to server, remote backups, and even distributed computation.
Denying access to a workstation due to a user error would also block system backups done by a different account...
Depending on your circumstance, you REALLY don't want to do that.
Especially if you support multiple users.
What I use this for is restricting access to my home computer, which has one user - me - and I only want one user from the outside world - me (when I'm not at home) - to be able to get in.
On the multiple user computers I manage at work, yes, I agree with you, this would be totally inappropriate. It's good that you brought up this point, since I failed to mention my unique "one user" scenario in my initial post. Thanks.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.