Re: SSH Cracking Attempts
From: Ralph Katz (ralph.katz_at_rcn.com)
Date: 10/01/04
- Previous message: Jamie Gavahan: "Re: Flash card reader"
- Next in thread: Jacob S: "Re: SSH Cracking Attempts"
- Reply: Jacob S: "Re: SSH Cracking Attempts"
- Reply: Alexei Chetroi: "Re: SSH Cracking Attempts"
- Maybe reply: Ralph Katz: "Re: SSH Cracking Attempts"
- Maybe reply: Ralph Katz: "Re: SSH Cracking Attempts"
- Maybe reply: Patrick Albuquerque: "Re: SSH Cracking Attempts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Thu, 30 Sep 2004 20:20:59 -0400 To: debian-user@lists.debian.org
> From: Jacob S (stormspotter@6Texans.net)
> Subject: SSH Cracking Attempts
>
> Newsgroups: linux.debian.user
> Date: 2004-09-29 12:10:24 PST
>
> Every other day or so now I'm seeing attempts in my servers logs where
> some remote machine starts trying to guess a username/password
> combination to ssh into the server. They try everything from 'test', to
> 'NOUSER', 'guest', 'root', etc., doing at least one login attempt per
> second, each time from a different source port.
>
> So, my question is this. Is there a way to tell ssh to refuse
> connections from an ip address after a certain number of failed login
> attempts, or is snort the only way to do something like this? So far
> I've been taking the manual approach, blocking the ip address with
> my firewall after I see it hitting the logs, but that can give them
> about an hour to play before I notice it (e-mailed to me by logcheck).
>
> Any suggestions?
>
> TIA,
> Jacob
This is getting worse for me:
~$ grep 'Failed password' /var/log/auth.log |wc -l
241
241 attempts in the last day and a half. I'd like to make myself a less
attractive target. In August, I asked for help in enabling FAIL_DELAY
to discourage these ssh attacks:
http://lists.debian.org/debian-user/2004/08/msg07107.html
But apparently FAIL_DELAY no longer applies to ssh.
I've since learned of TARPIT, but have no idea how to implement that
against ssh attacks. (I'm a desktop user, not a programmer or sys admin.)
The closest I've come to finding something that would help is this, but
I don't know how to apply this to Debian:
http://lists.sans.org/pipermail/list/2004-July/061242.html
>> Is there any way I can lock out a account/machine after a certain number of
>> failed login attempts via ssh ?
>> similar to what happends on the console of a *nix box or the windows login
>> screen
>
> You haven't said what OS. If it uses pam, then you'll have to swat up on
> pam. Have a look at the pam_tally module; on my RH RHAS3 machines, the
> docs are in /usr/share/doc/pam-0.75/html. You'd modify /etc/pam.d/sshd
> or /etc/pam.d/system-auth on a RedHat 8, 9 or ES installation.
>
> Example: Add the following to /etc/pam.d/(sshd|system-auth):
>
> account required /lib/security/$ISA/pam_tally.so onerr=fail
> file=/var/log/faillog deny=3 no_magic_root even_deny_root_account
>
> Reset failed logins (cron!) with /sbin/pam_tally.
>
I can't find anything relevant on pam or /etc/ssh/sshd_config. Sure,
there is denying root logins, RhostsRSAAuthentication for known hosts,
hosts allow and hosts deny, but those solutions address different
situations. But your question remains key for me:
> Is there a way to tell ssh to refuse
> connections from an ip address after a certain number of failed login
> attempts,
Or to send it to a tarpit?
Any ideas?
Oh, you can report attacks at
http://www.dshield.org/ and get more info.
-- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
- Previous message: Jamie Gavahan: "Re: Flash card reader"
- Next in thread: Jacob S: "Re: SSH Cracking Attempts"
- Reply: Jacob S: "Re: SSH Cracking Attempts"
- Reply: Alexei Chetroi: "Re: SSH Cracking Attempts"
- Maybe reply: Ralph Katz: "Re: SSH Cracking Attempts"
- Maybe reply: Ralph Katz: "Re: SSH Cracking Attempts"
- Maybe reply: Patrick Albuquerque: "Re: SSH Cracking Attempts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
