LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 04-20-2013, 08:54 PM   #1
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD, Raspbian, Arch
Posts: 2,285

Rep: Reputation: 354Reputation: 354Reputation: 354Reputation: 354
SSHD: Lockout IP address after xxx failed authentication attempts


What are good ways to accomplish this? I wrote my own script to do this years ago, but I'm now investigating if there is a better "standard" method.

My SSHD setup only allows pubkey authentication. No other methods. So I have in my sshd_config (partial listing of the contents):
Code:
ChallengeResponseAuthentication no
PasswordAuthentication no
KerberosAuthentication no
RSAAuthentication no
RhostsRSAAuthentication no
HostbasedAuthentication no
GSSAPIAuthentication no
PubkeyAuthentication yes
UsePAM yes
I am no expert on PAM (far from it!), but can I still use pam_faillock to lockout accounts given the above? I'm not sure because both PasswordAuthentication and ChallengeResponseAuthentication are set to no, and I'm not sure PAM has any knowledge of PubkeyAuthentication.

But what I really want to do is lockout the incoming IP address that is trying to authenticate (not the user account) after 3 failed authentication attempts, but then automatically restore the ability of that IP to attempt to login after one hour. I don't know if PAM can lockout IPs (as opposed to accounts), nor do I know if it can automatically unlock them after a set length of time. So PAM may not be the answer. PAM is quite complex and I just have never taken the time to learn it other than a basic understanding of some of the simpler things it can do.

Anyway, this is not urgent since I have a script (actually, a set of scripts) that does all this already. I'm just wondering if there is a more standard method than my homegrown one.
 
Old 04-20-2013, 09:04 PM   #2
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3182Reputation: 3182Reputation: 3182Reputation: 3182Reputation: 3182Reputation: 3182Reputation: 3182Reputation: 3182Reputation: 3182Reputation: 3182Reputation: 3182
I would, quite frankly, avoid the situation entirely: use digital certificates with ssh, and prohibit the use of password login.

If you are a possessor of the specified key (and passphrase), then you can log in without further ado: no password prompt is required, because the credentials you have presented are far stronger than any "magic word." If the key is compromised, simply invalidate the key.

It's senseless to allow anyone on the Internet to "present a password" to your system.
 
Old 04-20-2013, 09:26 PM   #3
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD, Raspbian, Arch
Posts: 2,285

Original Poster
Rep: Reputation: 354Reputation: 354Reputation: 354Reputation: 354
They can't present a password to my system, since it only allows pubkey authentication. So I'm covered there.

But I like multiple layers of security. While allowing only one single user (me!) access to the system (via AllowUsers in sshd_config), and only allowing pubkey authentication, I think the system is already pretty secure. I have no other tcp LISTEN'ers running, except for CUPS, and that is only on the localhost adapter. But this SSHD setup is only ONE layer - all based on the sshd_config file. As another layer, locking out IPs that fail to authenticate just provides that much more protection. Say if I were to somehow accidently screw up my sshd_config file during editing one day, this extra layer of IP lockout might save my butt.
 
Old 04-20-2013, 09:27 PM   #4
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,585

Rep: Reputation: 2350Reputation: 2350Reputation: 2350Reputation: 2350Reputation: 2350Reputation: 2350Reputation: 2350Reputation: 2350Reputation: 2350Reputation: 2350Reputation: 2350
I thought fail2ban did this?
 
Old 04-20-2013, 09:47 PM   #5
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD, Raspbian, Arch
Posts: 2,285

Original Poster
Rep: Reputation: 354Reputation: 354Reputation: 354Reputation: 354
Thanks! Now that you mention it, I have heard of Fail2Ban before. I googled it, found a Wiki page, and that page also had a link to another similar program, DenyHosts.

I am researching these two now. They appear similar to my homegrown scripting, except they appear to parse logfiles to determine failed login attempts whereas my homegrown thing integrates with SSH in realtime (using linkage via /etc/ssh/sshrc). Don't know which method is better, but I'll do some research on these alternate programs. Thanks again.
 
Old 04-20-2013, 09:55 PM   #6
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,585

Rep: Reputation: 2350Reputation: 2350Reputation: 2350Reputation: 2350Reputation: 2350Reputation: 2350Reputation: 2350Reputation: 2350Reputation: 2350Reputation: 2350Reputation: 2350
Glad to remind you. If you come up with any scripts like fail2ban I'd be happy to test them though I only have virtual servers with limited exposure.
 
Old 04-20-2013, 10:26 PM   #7
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD, Raspbian, Arch
Posts: 2,285

Original Poster
Rep: Reputation: 354Reputation: 354Reputation: 354Reputation: 354
You don't need to test, but since you expressed some interest, below is my "homegrown method" that I posted about years ago. Still works fine, I was just researching to see if someone came up with a better way since then. Generally, a "standard" program would be preferable to my homegrown method. But I guess every program is initially a "homegrown method".

http://www.linuxquestions.org/questi...6/#post2290296

BTW, subsequent to the above post describing my method, I implemented a simple cron job to clear out IP addresses that had been banned after a certain length of time. That cron job just edited /etc/hosts.allow and removed dated entries.
 
Old 04-20-2013, 11:55 PM   #8
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,866

Rep: Reputation: 1487Reputation: 1487Reputation: 1487Reputation: 1487Reputation: 1487Reputation: 1487Reputation: 1487Reputation: 1487Reputation: 1487Reputation: 1487
Depending on your circumstance, you REALLY don't want to do that.

Especially if you support multiple users.

You could get many connection attempts from one system, each from a different user. Locking out that system would lock out all users, even those that have not had a failure...

It could even be a DOS..

The technique is fairly useful for web servers as the connecting host will most often be a single system. But a generic service like ssh is used for copying files from server to server, remote backups, and even distributed computation.

Denying access to a workstation due to a user error would also block system backups done by a different account...

Last edited by jpollard; 04-20-2013 at 11:59 PM.
 
Old 04-21-2013, 01:42 AM   #9
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD, Raspbian, Arch
Posts: 2,285

Original Poster
Rep: Reputation: 354Reputation: 354Reputation: 354Reputation: 354
Quote:
Originally Posted by jpollard View Post
Depending on your circumstance, you REALLY don't want to do that.
Especially if you support multiple users.
What I use this for is restricting access to my home computer, which has one user - me - and I only want one user from the outside world - me (when I'm not at home) - to be able to get in.

On the multiple user computers I manage at work, yes, I agree with you, this would be totally inappropriate. It's good that you brought up this point, since I failed to mention my unique "one user" scenario in my initial post. Thanks.
 
Old 04-22-2013, 01:59 AM   #10
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 7.7 (?), Centos 8.1
Posts: 17,814

Rep: Reputation: 2553Reputation: 2553Reputation: 2553Reputation: 2553Reputation: 2553Reputation: 2553Reputation: 2553Reputation: 2553Reputation: 2553Reputation: 2553Reputation: 2553
Incidentally, if you want to lock out accts (as opposed to IPs), see pam_tally.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] SSHD login authentication failed with LDAP sheelavantar Linux - Server 2 09-02-2011 03:12 AM
Error, some other host already uses address xxx.xxx,xxx,xxx ryan462 Linux - Networking 20 01-25-2010 12:14 AM
SSH tricks -- any way to block failed attempts by IP address tensigh Linux - Security 10 06-06-2008 04:46 PM
How do I find the source IP of failed SASL authentication attempts? sunhak Linux - Security 7 10-24-2007 05:22 PM
How to deal with SSHD invalid user XXXX from www.xxx.yyy.xxx 1kyle SUSE / openSUSE 1 09-30-2006 06:26 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 04:13 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration