Re: SSHD: Limit login attempt rate
- From: bmearns <mearns.b@xxxxxxxxx>
- Date: Fri, 25 Jul 2008 05:45:08 -0700 (PDT)
Thanks for all the great recommendations. I'm especially interested in
iptable rate-limiting and port-knocking, which I will be looking more
into. Moe Trin mentioned that port-knocking doesn't block out remote
hosts who can't connect on obscure ports, but I don't see how? This is
also my main reason for not moving the server to another port: I need
to be able to access it from a handful of networks that lock down all
but standard ports (i.e., from within these networks, you can't
connect to remote hosts on ports other than, say, 80, 8080, 22, and
maybe a few others), so I'm not clear on how port knocking would be
any different in this aspect?
White-listing the addresses is similarly not a very practical option
for me. I wouldn't exactly call my self a "world traveler", but I do
have a tendency to connect back home from a wide variety of locations,
so I'd like to not blow off my "wobbly bits" as Moe Trin put it so
beautifully =).
As of last night, I implemented PKA-only access to ssh and have
whitelisted just a few users who are actually allowed to connect, all
of which have fairly obscure usernames that aren't likely to be
guessed by random strangers. Seems to me like a pretty good set of
authentication options, but if anyone has feedback, I'd love to hear
it. I will still be looking into some of the other options mentioned
above for black-listing attackers, as well.
Finally, just so we can all have a good laugh: The specific incident
that triggered all this was that my logwatch reported 1300 attempts to
login with my username (again, not exactly a common "oh this is
probably a username" guess that most script kiddies are likely to
try), and what's more, the source IP was my wireless router (which has
loopback). To paraphrase a well known horror movie: The call was
coming from inside the network, leading me to believe that someone in
the building had hacked my wireless network and was now trying to hack
the systems behind it. But here's the funny part: I had apparently
setup a myentunnel service on my windows laptop, set to open a tunnel
back home whenever the system started. I vaguely recall doing this
now, but totally forgot about it in the meantime. So after changing my
ssh password, this service was no longer able to connect, but boy did
it try. Hence the 1300 failed authentication attempts from inside the
network. I've disabled that service now, but I guess it all worked out
for the best, since it got me thinking about security.
-Brian
.
- Follow-Ups:
- Re: SSHD: Limit login attempt rate
- From: Andrew Gideon
- Re: SSHD: Limit login attempt rate
- From: Moe Trin
- Re: SSHD: Limit login attempt rate
- From: Guenther Schwarz
- Re: SSHD: Limit login attempt rate
- References:
- SSHD: Limit login attempt rate
- From: bmearns
- Re: SSHD: Limit login attempt rate
- From: Alo
- SSHD: Limit login attempt rate
- Prev by Date: Re: How to delete an entry in ARP
- Next by Date: Re: SSHD: Limit login attempt rate
- Previous by thread: Re: SSHD: Limit login attempt rate
- Next by thread: Re: SSHD: Limit login attempt rate
- Index(es):
Relevant Pages
|
