ssh auto shutdown

mazzo · 08-13-2004, 09:32 AM

Hi

With the increase in ssh scans and attempted break-ins (using test, guest, admin etc usernames), is there a way to get ssh to close down if there are a number of unsuccessful attempts at logging in?

I intend to make ssh available for only a couple of users - and I think I know how to sort that out (sshd_config).

I want it so that if someone did manage to guess a valid username, then sshd would shutdown after a predefined number of failed attempts (ie the password is wrong).

If this was covered elsewhere, I couldn't find it.

Thanks

TBC Cosmo · 08-13-2004, 11:06 AM

Quote:

Originally posted by mazzo
Hi

With the increase in ssh scans and attempted break-ins (using test, guest, admin etc usernames), is there a way to get ssh to close down if there are a number of unsuccessful attempts at logging in?

I intend to make ssh available for only a couple of users - and I think I know how to sort that out (sshd_config).

I want it so that if someone did manage to guess a valid username, then sshd would shutdown after a predefined number of failed attempts (ie the password is wrong).

If this was covered elsewhere, I couldn't find it.

Thanks

1. Its doubtful that someone will hang around long enough to actually guess an account. These scans test for dumb accounts and dump a rootkit or something. They check for these stupid accounts and if not found, move on. They have better success rates doing that.

2. With a good password, It could take a very long time to brute force an account even on a known login name. Meanwhile, the logs are filling up with failed attempts, and PAM can disable the account if certain # failed tries.

3. Use ssh PK auth with ssh-agent and/or PuTTY agent and config sshd to allow only key auth. That way, if by some miracle, a password is guessed, the connection fails since there is no corresponding key at the other end.

4. Config tcp_wrappers to allow only those users if they have static IP, or by range of their IPs if dynamic. Deny all else. That way you at least eliminate china, russia, canada, texas etc.

There's more, but I think these are good without going to extremes.

mazzo · 08-13-2004, 11:51 AM

Thanks - that's good advice.

I have bolted ssh down to only 2 users - so am limiting the availability of legal logins.

Very interested in your PAM comment. I would be keen to know how I implement the x failed attempts, then shutdown.

Conversely, if it does get shut down, is there a way to re-start it at a certain period after shutdown. Is this a cron task?

Thanks

TBC Cosmo · 08-13-2004, 01:07 PM

I would'nt go to the trouble of killing the ssh server, just lock the user's account.

Code:

auth        required      /lib/security/pam_env.so
auth        required      /lib/security/pam_tally.so onerr=fail no_magic_root
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so
account     required      /lib/security/pam_tally.so deny=3 no_magic_root reset
password    required      /lib/security/pam_cracklib.so retry=3 minlen=8 dcredit
=-1 ocredit=-1 ucredit=-1 lcredit=-1
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shado
w remember=15
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

This causes pam to lock the user's account after 3 failed attempts. To find failed logins using the pam_tally module, type pam_tally, and to reset, do pam_tally --user user --reset

mazzo · 08-13-2004, 05:55 PM

Thanks - I will give it a go!