LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-16-2005, 02:42 PM   #1
chesp3
LQ Newbie
 
Registered: Dec 2004
Location: Pennsylvania, USA
Distribution: Fedora Rawhide
Posts: 2

Rep: Reputation: 0
Limiting Login Attempts


Hey All,

I use SSH on my server to upload remotely, and I use LogWatch to monitor the logs. Over the last week or so i've been getting about 600 root login attempts a day from some guy in korea. (Ive been changing the password a lot). I googled for this and tried out a tutorial on pam_tally, and my /etc/pam.d/sshd has this:

Code:
auth       required     /lib/security/pam_tally.so onerr=fail no_magic_root
account    required     /lib/security/pam_tally.so per_user deny=3 no_magic_root reset
But I still have a couple hundred root logins, so i'm guessing this tally thing really isn't working of the config is wrong.

So how can I limit the number of logins in one day/week/hour/whatever?

Thanks in advance,

Chester
 
Old 05-16-2005, 06:52 PM   #2
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 124Reputation: 124
This is a *BAD* idea. (Explained below). Instead, add
Code:
PermitRootLogin no
into your sshd_config file (usually /etc/ssh/sshd_config).

Here's why this is bad: what pam_tally does, as I understand it, is to lock the account. Then even *you* can't get in as root. I don't think that's what you want.

If you have more questions, I'd be happy to answer them.
 
Old 05-16-2005, 07:18 PM   #3
cormander
Member
 
Registered: Dec 2004
Location: Hawaii
Distribution: Fedora & CentOS
Posts: 72

Rep: Reputation: 15
I agree on the not permitting remote root login, but here is an additional thought.

You could run ssh on a different port. If the guy is stupid enough, he won't detect that you've simply changed which port you run sshd on.

This can be done by editing the /etc/ssh/sshd_config file, find the line that reads:

#Port 22

Remove the #, and change the port number. This runs sshd on port 2222:

Port 2222

Be sure to restart sshd after you do this.

You can also specify it as many times as you like, if you want to run sshd on multiple ports:

Port 1232
Port 4563

I manage several servers, and I have found that attempts like this are common.

I imagine that a lot of ssh brute force tools only look at port 22 on a network address, and if there is no responce from that port, it moves on to try to hack someone else, because this isn't nearly as frequent on systems in which SSH isn't running on port 22.

Now the more ambitious bot will portscan and do brute ssh on any port it finds ssh to be running on, and simply changing the port sshd runs on won't stop these bots, but I believe doing this will still cut out a big chunk of the number of bots out there try to brute force their way into your system.
 
Old 05-16-2005, 07:31 PM   #4
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 124Reputation: 124
That is also a possibility, though I prefer to leave services running on their well known port. Mostly a personal/choice thing. If the rest of your security is good enough, you should be fine either way.
 
Old 05-16-2005, 08:08 PM   #5
chesp3
LQ Newbie
 
Registered: Dec 2004
Location: Pennsylvania, USA
Distribution: Fedora Rawhide
Posts: 2

Original Poster
Rep: Reputation: 0
Thanks for the suggestions, I forgot about PermitRootLogin... Just for my reference however, is there a way to block login attempts (besides pam_tally) for say a normal user just for some extra security? Its not that important

Thanks again,

Chester
 
Old 05-16-2005, 08:13 PM   #6
cormander
Member
 
Registered: Dec 2004
Location: Hawaii
Distribution: Fedora & CentOS
Posts: 72

Rep: Reputation: 15
You can give the user the nologin shell:

Code:
usermod -s /sbin/nologin USER
Or you can disable their password:

Code:
passwd -l USER
 
Old 05-16-2005, 09:18 PM   #7
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 124Reputation: 124
Well, let's not forget about the 'AllowGroups' directive in sshd. In my sshd_config, I have "AllowGroups sshusers" and have a group sshusers to which I have added all users I want to be able to use ssh. I do NOT use this as a primary group, only secondary, but I think it's easier than disabling users. Just like a firewall: deny everything, then allow what you need in.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH login attempts Capt_Caveman Linux - Security 225 11-07-2009 09:55 AM
ssh login attempts from localhost?! sovietpower Linux - Security 2 05-29-2005 01:19 AM
Login attempts phatboyz Linux - Security 1 10-11-2004 01:57 PM
limiting the login attempts ry Linux - General 2 02-19-2003 11:29 AM
slow login attempts Syncrm Linux - General 1 05-21-2002 09:05 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:22 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration