Re: a GOOD idea to harden OpenSSH!



--- On Wed, 3/30/11, nagygabor88 <nagygabor88@xxxxxxxx> wrote:

From: nagygabor88 <nagygabor88@xxxxxxxx>
Subject: a GOOD idea to harden OpenSSH!
To: "OpenSSH list" <secureshell@xxxxxxxxxxxxxxxxx>
Date: Wednesday, March 30, 2011, 12:19 PM


if a user wants to connect to an ssh server then he have to
wait a couple of seconds, then he can write his passphare.
the "couple of seconds" is defined in the sshd config,
e.g.: 2 seconds
the method musn't show that the user have to wait 2 seconds
to write his passphare.


This can already be similarly done using iptables, with entries such as:
$IPTABLES -N SSH_CHECK
$IPTABLES -I INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
$IPTABLES -A SSH_CHECK -m recent --set --name SSH
$IPTABLES -A SSH_CHECK -m recent --update --seconds 180 --hitcount 5 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
$IPTABLES -A SSH_CHECK -m recent --update --seconds 180 --hitcount 5 --rttl --name SSH -j DROP

What this does: If I get more than 5 hits within 180 seconds, block them for 180 seconds.