Re: SSHD: Limit login attempt rate
- From: ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin)
- Date: Thu, 24 Jul 2008 15:00:17 -0500
On Thu, 24 Jul 2008, in the Usenet newsgroup comp.os.linux.networking, in
article <103d250f-85a7-4240-aa96-81c1a8f2a85d@xxxxxxxxxxxxxxxxxxxxxxxxxxx>,
bmearns wrote:
NOTE: Posting from groups.google.com (or some web-forums) dramatically
reduces the chance of your post being seen. Find a real news server.
I'm running an sshd on Fedora 8, and have recently been getting
swamped with people trying to log in (i.e., break in). It's configured
to only allow three authentication attempts per connection, but they
just keep reconnecting: probably some script kiddies with port
sniffers and password testers.
This question comes up constantly, and has been answered many times.
Are you a world traveler, or do you have users authorized to log into
your system from every IP address in the world? You'll find you will
waste less CPU cycles by configuring your firewall to only allow
connections to your SSH server from IP addresses you actually expect
may have a legitimate reason to connect. For me, that means allowing
just 1536 IP addresses (a /22 and two /24s) out of the 2676890800 IPv4
addresses in current use in the entire world.
What you are seeing is skript kiddiez and bots - and one thing they are
sure of is that you must only run an SSH server on port 22. A very
common solution that defeats this knowledge is to move your server to
a "high" port. Your Linux distribution comes with a network exploration
tool called 'nmap' - look at the documentation that comes with this
tool, and locate a file named 'nmap-services' which will show port
numbers to avoid. Before you think "SECURITY THROUGH OBSCURITY!"
remember that moving the server location in no way changes the
authentication mechanisms you have in place - you still need a valid
username and authentication token to get in.
Seeing as how you are posting from a search engine, you might also
try searching for 'port knocking' - a technique that requires a valid
user to first attempt to connect to some unusual port number which is
closed on your end. The port knocker daemon is listening for such
connection attempts, and can then open what-ever port you have hidden
the SSH server to that address ONLY, and only for a short time needed
to get the connection running. This is useful in cases where your
remote system is otherwise restricted from making connections to
non-standard ports/services. Again, this isn't 'Security Through
Obscurity' because you still require the authentication mechanism
as above.
For example, if a particular address tries and fails three times to
authenticate, that address is blocked for three hours, or something
similar?
There are a number of such tools available - everything from fail2ban
to PortSentry and others. While blocking for a "short time" such as
three hours is better than inserting a permanent block, it is still a
good way to shoot yourself in the wobbly bits - Self Denial Of Service'
is far from unknown.
Another technique is available in the iptables firewall - rate limits.
See http://www.netfilter.org/documentation/HOWTO/ for a number of
documents that discuss the technique and rules.
Old guy
.
- References:
- SSHD: Limit login attempt rate
- From: bmearns
- SSHD: Limit login attempt rate
- Prev by Date: Re: Limit login attempt rate
- Next by Date: Re: What is going on with my Dialup?
- Previous by thread: Re: Limit login attempt rate
- Next by thread: Re: SSHD: Limit login attempt rate
- Index(es):
Relevant Pages
|
