Re: sshd: Preventing people trying lots of logins

From: Andrew Schulman (andrex_at_deadspam.com)
Date: 12/30/04 

Date: Thu, 30 Dec 2004 12:03:11 -0500

> I'm running a linux box with fedora core 2 over a home DSL connection.
I
> keep seeing entries in the logs suggesting that a given host has tried
> to make many (100+) connections to my ssh server, using a variety of
> different usernames (some common first names, others names like apache,
> webmaster etc)
>
> I think I'm pretty safe as the only usernames that sshd will allow to
> log in aren't dictionary names, but even so it'd be nice if I could make
> sshd refuse to talk to a host after e.g. 10 failed authentications.
>
> Any ideas? I've tried looking in FAQs and doing suitable google
> searches, but I've had no luck so far.

There was a thread about this on comp.security.ssh, I believe, a few
weeks ago. Sorry but I can't remember the thread title. But I don't
believe anyone came up with any neat or out-of-the-box solutions.

Someone described a PAM setting that would help in some respect, but I
don't remember what it was. But at least that could provide a hook for
finding the thread.

Recently in Debian I came across bld, the blacklist daemon. This is a
generic tool that constructs blacklists of IP addresses based on the
number of submissions within a certain time. You would have to set up a
cron script to feed it IP addresses from your ssh logs, then another one
to regularly retrieve the blacklist and insert it into your
/etc/hosts.deny. But this doesn't sound too bad, and it would exactly
address your problem.

Good luck,
Andrew. 

-- 
To reply by email, replace "deadspam.com" by "alumni.utexas.net"

Relevant Pages

  • Re: error loggers gone crazy - disk full
    ... transition -- some upgrade has removed it from your blacklists, ... its still in the kernel and getting inserted automatically. ... getting rid of evbug does it, but haven't been able to blacklist the ... about it generating an error in the boot logs, ...
    (Debian-User)
  • Re: System Logging on Windows
    ... I think all you're going to get back on this is..."good luck!!" ... >logs of the domain clients to be logged in the security log of the ... >Domain Controller. ... Captus Networks ...
    (Security-Basics)
  • Re: Tools to Analyse Logs in Checkpoint NG
    ... There is one package called Sawmill that claims to examine logs from CheckPoint. ... I never had much luck with it...but you may have more luck. ... Thinking About Security Training? ...
    (Security-Basics)
  • OpenReport canceled error
    ... around to whatever machine she logs onto. ... >the buttons the auto print reports (a button that brings ... to admin but no luck. ... >We also looked at permissions on folders and in the ...
    (microsoft.public.access.reports)
  • Re: Search schedules not running as created
    ... No entries in the logs. ... tried deleting and re-creating the indexes, still no luck. ...
    (microsoft.public.sharepoint.portalserver)