Re: Deliberately create slow SSH response?



Hi Kevin,

Here are a few solutions that I can think of at the moment;

-Change your sshd port from 22 to something less prone to scans/attacks. i.e. 122, 222, etc...
-Disable password authentication?
-TCP wrappers that spawn a script at every ssh connection and checks for IP and validate if it has been denied a connection before, and put the IP in /etc/hosts.deny if x amount of attempts is reached. You would script something and put it in /etc/hosts.allow in the following format: (your SSH should be compiled with libwrap)
sshd : all : spawn (/path/to/your_script.sh %a)&
- You can also use http://denyhosts.sourceforge.net/ which is a python script that should work fine with the Linux distros that you list.

Hope this helps.

-Ed

----- Original Message ----
From: "Zembower, Kevin" <kzembowe@xxxxxxxxxx>
To: secureshell@xxxxxxxxxxxxxxxxx
Sent: Wednesday, July 9, 2008 12:55:34 PM
Subject: Deliberately create slow SSH response?

This might seem like a strange question to ask, but is there a way to
deliberately create a slow response to an SSH request? I'm annoyed at
the large number of distributed SSH brute-force attacks on a server I
administer, trying to guess the password for 'root' and other accounts.
I think that my server is pretty secure; doesn't allow root to log in
through SSH, only a restricted number of accounts are allowed SSH
access, with I think pretty good passwords. But still, the attempts
annoy me.

I wouldn't mind if SSH took say 30 seconds to ask me for my password.
This would slow the attempts. Is there any way to configure OpenSSH to
do this? I searched the archives of this group with 'slow' and 'delay'
but didn't come up with anything on this topic. Please point it out to
me if I overlooked anything. In addition, I can limit the number of SSH
connections to 3-5 and still operate okay.

Ultimately, I need this solution for hosts running OpenSSH_3.9p1 under
RHEL ES 4 and OpenSSH_4.3p2 under Debian 'etch' 4.0 and Fedora Core 6.

Thanks in advance for your advice and suggestions.

-Kevin

Kevin Zembower
Internet Services Group manager
Center for Communication Programs
Bloomberg School of Public Health
Johns Hopkins University
111 Market Place, Suite 310
Baltimore, Maryland 21202
410-659-6139



__________________________________________________________________
Yahoo! Canada Toolbar: Search from anywhere on the web, and bookmark your favourite sites. Download it now at
http://ca.toolbar.yahoo.com.



Relevant Pages

  • RE: Linux hacked
    ... Also, what exactly did the history file show, can you paste it into a mail ... > First let me say I'm a security novice. ... > been unsuccessful in getting root back. ... > via ssh but you could su in once logged in as one of three users. ...
    (Security-Basics)
  • Re: Linux hacked
    ... To find out what kernel version you are running, type "uname -a" without ... > been unsuccessful in getting root back. ... > via ssh but you could su in once logged in as one of three users. ...
    (Security-Basics)
  • Re: X11Forwarding, ssh -X, and /bin/su
    ... ]>but I'm not really tunneled using ssh then, ... ]connecting to the X server and have the home directory NFS-mounted ... ](unless you leave root unmapped over NFS, ... ]root-readable place and set the environment $XAUTHORITY variable ...
    (comp.security.ssh)
  • RE: Linux hacked
    ... hack the box, pull the drive and save it. ... Use the newest versions of Gentoo, Apache, SSH, PHP and Squirl Mail. ... been unsuccessful in getting root back. ... I found a hidden directory /var/tmp/.tmp that has a bunch of directories ...
    (Security-Basics)
  • RE: Linux hacked
    ... Was any of the sites running a php nuke or another portal or system that is vuln ... been able to use that with a locla root exploit to gain root on the machine. ... > hack the box, pull the drive and save it. ... > Use the newest versions of Gentoo, Apache, SSH, PHP and Squirl Mail. ...
    (Security-Basics)