Re: Password Guessing
From: Martin Paul (map_at_par.univie.ac.at)
Date: 08/19/05
- Previous message: Darren Tucker: "Re: PAM changing user name"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 19 Aug 2005 12:26:26 GMT
Geoff Dolman <geoff.dolman@cimr.cam.ac.uk> wrote:
> I have an ssh gateway linux-box which is the victim of daily visits by
> password guessing attacks typically against root, nobody or other
> system-account type names like operator, oracle, guest, etc.
> Other guesses are clearly dictionary attacks: lion, lynx, monkey etc.
Jumping in a little late on this thread, but here's a simple solution
to lock out hosts after a certain amount of ssh accesses in a given
time (3 in one minute works for me).
All you need is an ssh daemon that's linked against tcp-wrappers (default
with Sun's SSH, optional with OpenSSH), and a simple shell script (see
below).
In /etc/hosts.deny you need:
# ssh-throttle
sshd: ALL: spawn (/usr/sbin/ssh-throttle %a): ALLOW
Like this, on any ssh connection the script ssh-throttle will be called,
supplied with the IP address of the source host, and the connection
will be allowed. ssh-throttle keeps track of the connections, and
adds a DENY rule right after "# ssh-throttle" to /etc/hosts.deny if
a limit of connections has been exceeded.
You can add default ALLOW rules for friendly hosts or networks above
the "# ssh-throttle", so those connections will never be throttled.
Here's the ssh-throttle script:
#!/bin/sh
clog="/var/run/ssh-throttle"
clogt="/tmp/ssh-throttle.$$"
deny="/etc/hosts.deny"
tdeny="/tmp/hosts.deny.$$"
limit=3
hh=`/usr/bin/date +%H`
mm=`/usr/bin/date +%M`
ip=$1
# Log connection
echo "$hh $mm $ip" >> $clog
# See if there were more than $limit connections from $ip in one minute
count=`grep "$hh $mm $ip" $clog | wc -l`
if test $count -gt $limit
then
# Check if the IP address is already listed in hosts.deny
#
exist=`grep "$ip" $deny`
if test "$exist" = ""
then
# Log a warning, and add an entry to hosts.deny
#
logger -p auth.warn -t ssh-throttle "Denying $ip ($hh:$mm)"
cat $deny | sed "/# ssh-throttle/a\\
sshd: $ip: DENY
" > $tdeny
mv $tdeny $deny
fi
fi
# Only keep current entries in the connection log
grep "$hh $mm " $clog > $clogt
mv $clogt $clog
This approach has worked like a charm for me in the last few weeks.
The basic concept isn't restricted to ssh, it could easily be extended
to protect other services, too.
On busy systems some locking around the modification of hosts.deny
could be necessary, and a possible danger is that any user from a
host can deliberately lock out that host (and other users on that
host) - the same issue as with locking accounts after x failed attempts.
It's a cheap hack, far from perfect, and won't fit anybody, but the
net effect has been very positive for me.
mp.
-- Systems Administrator | Institute of Scientific Computing | Univ. of Vienna
- Previous message: Darren Tucker: "Re: PAM changing user name"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
