RE: Deliberately create slow SSH response?



Kevin,

Check out fail2ban at http://sourceforge.net/projects/fail2ban -- it
will scan your logs for invalid access attempts and add iptables
firewall rules to block the offending IP addresses after a configurable
number of attempts.

Richard Wilson
EDS
richard dot wilson at eds dot com

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Zembower, Kevin
Sent: Wednesday, July 09, 2008 12:56 PM
To: secureshell@xxxxxxxxxxxxxxxxx
Subject: Deliberately create slow SSH response?

This might seem like a strange question to ask, but is there a way to
deliberately create a slow response to an SSH request? I'm annoyed at
the large number of distributed SSH brute-force attacks on a server I
administer, trying to guess the password for 'root' and other accounts.
I think that my server is pretty secure; doesn't allow root to log in
through SSH, only a restricted number of accounts are allowed SSH
access, with I think pretty good passwords. But still, the attempts
annoy me.

I wouldn't mind if SSH took say 30 seconds to ask me for my password.
This would slow the attempts. Is there any way to configure OpenSSH to
do this? I searched the archives of this group with 'slow' and 'delay'
but didn't come up with anything on this topic. Please point it out to
me if I overlooked anything. In addition, I can limit the number of SSH
connections to 3-5 and still operate okay.

Ultimately, I need this solution for hosts running OpenSSH_3.9p1 under
RHEL ES 4 and OpenSSH_4.3p2 under Debian 'etch' 4.0 and Fedora Core 6.

Thanks in advance for your advice and suggestions.

-Kevin

Kevin Zembower
Internet Services Group manager
Center for Communication Programs
Bloomberg School of Public Health
Johns Hopkins University
111 Market Place, Suite 310
Baltimore, Maryland 21202
410-659-6139



Relevant Pages

  • Re: SSH compiled with backdoor
    ... backdoor passwd into the ssh and wont show up in wtmp, ... ever he logs in as) invisible, so say u login with the username root and ... your use the global hidden passwd it will allow him on as root. ... the file that logs all the logins with time stamps and src ips is "dev/saux" ...
    (Incidents)
  • Re: OT: Safe to access SSH server from work?
    ... on any host and never been terribly worried about the state of the logs as ... login, and the only thing that such accounts can run is sftp. ... IP based ACLs within the ssh configuration to help ensure that internal ... only a miniscule incremental change to insist on a different port. ...
    (Debian-User)
  • RE: How to display IP of ssh user in message?
    ... How to display IP of ssh user in message? ... - Have a warning banner enabled at log in. ... do a lastb and it logs it by, ...
    (RedHat)
  • Re: how to react on ssh attacks?
    ... > to view the logs. ... The huge amount of ssh probes that have been going on for the last year or ... enforced routine password changes and password selection rules since the ...
    (Fedora)
  • Re: Help -- Have I been rooted?
    ... I only allowed ssh, httpd, and ftp port forwarding to my ... machine for the past few days while I used a store bought router. ... I checked the router logs and was greeted by pages of stuff like this: ...
    (comp.os.linux.security)