Re: shutting down dictionary attacks

From: Brian J. Woods (brianjwd_at_gmail.com)
Date: 07/08/05

  • Next message: yyyyy50_at_hotpop.com: "ssh password *and* key" 
    Date: Fri, 08 Jul 2005 13:37:43 -0500
To: secureshell@securityfocus.com

    apacheroot@web.de wrote:

    >
    >On not to busy boxes one could also use an iptables rule with limit something like
    >
    >iptables -A INPUT -p tcp -dport 22 -m limit --limit 3/second --limit-burst 5 -j ACCEPT
    >iptables -A INPUT -p tcp -dport 22 -j Log --log-prefix "to much SSh"
    >
    >Accept normal incoming ssh packets. But when a storm of connections comes in like password brute force. It gets logged. (One could also drop the packets after log so they don´t traverse down the chain till policy hits.)
    >Josh Grosse <josh@jggimi.homeip.net> schrieb am 06.07.05 16:38:45:
    >
    >
    >>On Tue, Jul 05, 2005 at 02:56:25AM -0000, LD wrote:
    >>
    >>
    >>>The only problem with setting the max to 1 is that if you're running an
    >>>SSH key agent, your SSH program may attempt key authentication. Each key
    >>>in the ring counts as 1 authentication try, so this could possibly cut you
    >>>off if you use keys. Just a warning ;) Easily fixed.
    >>>
    >>>
    >>Thanks for the warning.
    >>
    >>I am running with key authentication (RSA), but not with forwarding agents --
    >>only X11 is tunnelled. So MaxAuthTries 1 works fine with OpenSSH or Putty
    >>clients.
    >>
    >>
    >
    >
    >_________________________________________________________________________
    >Mit der Gruppen-SMS von WEB.DE FreeMail können Sie eine SMS an alle
    >Freunde gleichzeitig schicken: http://freemail.web.de/features/?mc=021179
    >
    >
    >
    >
    >
    >

    Can you do this in pf?

  • Next message: yyyyy50_at_hotpop.com: "ssh password *and* key"