Re: shutting down dictionary attacks

apacheroot_at_web.de
Date: 07/06/05

  • Next message: Mark Hannessen: "OpenSSH/kerberos compile problem." 
    Date: Wed, 06 Jul 2005 17:27:54 +0200
To: secureshell@securityfocus.com

    On not to busy boxes one could also use an iptables rule with limit something like

    iptables -A INPUT -p tcp -dport 22 -m limit --limit 3/second --limit-burst 5 -j ACCEPT
    iptables -A INPUT -p tcp -dport 22 -j Log --log-prefix "to much SSh"

    Accept normal incoming ssh packets. But when a storm of connections comes in like password brute force. It gets logged. (One could also drop the packets after log so they don´t traverse down the chain till policy hits.)
    Josh Grosse <josh@jggimi.homeip.net> schrieb am 06.07.05 16:38:45:
    >
    > On Tue, Jul 05, 2005 at 02:56:25AM -0000, LD wrote:
    > > The only problem with setting the max to 1 is that if you're running an
    > > SSH key agent, your SSH program may attempt key authentication. Each key
    > > in the ring counts as 1 authentication try, so this could possibly cut you
    > > off if you use keys. Just a warning ;) Easily fixed.
    >
    > Thanks for the warning.
    >
    > I am running with key authentication (RSA), but not with forwarding agents --
    > only X11 is tunnelled. So MaxAuthTries 1 works fine with OpenSSH or Putty
    > clients.

    _________________________________________________________________________
    Mit der Gruppen-SMS von WEB.DE FreeMail können Sie eine SMS an alle
    Freunde gleichzeitig schicken: http://freemail.web.de/features/?mc=021179

  • Next message: Mark Hannessen: "OpenSSH/kerberos compile problem."

    Relevant Pages

    • Re: [Full-disclosure] reduction of brute force login attempts via SSH through iptables --
      ... reduction of brute force login attempts via SSH through iptables --hashlimit ... out why my first attempts at using the hashlimit functionality in iptables ... against legitimate SSH connections, unless someone spoofs a very large ...
      (Full-Disclosure)
    • Re: Looking for program that emails me when dhcp addr changes
      ... For SSH all you need forwarded is TCP Port 22... ... >>participate in TCP connections or UDP conversations it initiates but ...
      (comp.security.ssh)
    • Re: ssh disconnecting [WAS: Getting Cut-Off]
      ... I left an SSH connection open to my server last night, ... after unexpecteded termination of previous connections. ... >>I didn't think my connection was idle since file transfer was occuring, ...
      (freebsd-questions)
    • Re: SSH login takes very long time...sometimes
      ... to open many connections is probably not that important, ... These were different types of attacks, primarily originating from single IP addresses: ... but had the worst impact on the ssh availability. ... So the best option for me was to implement a log analyzer script placing temporary blocks on the firewall when necessary. ...
      (freebsd-stable)
    • Re: Looking for program that emails me when dhcp addr changes
      ... > LA> Neither my ssh info or man route says mentions about how to ssh in ... >participate in TCP connections or UDP conversations it initiates but ... >The sheer ugliness of NAT is breathtaking. ... Any other connections besides port 22 I need to address? ...
      (comp.security.ssh)