hubertf's NetBSD Blog
Send interesting links to hubert at feyrer dot de!
 
[20070116] More fighting ssh password guessing attempts (Updated)
About one year ago (coincidence?) there was some discussion about how to protect your server against ssh password guessing, see elsewhere in my blog. Apparently the topic came up again, for ssh and other services this time, and quite a number of people chimed in and mentioned their preferred solutions to the same old problem. Solutions fall into three categories: administrative settings, logfile-parsing, and PAM-based solutions.

Administrative policies to using password-less ssh logins only is something that needs some adjusting from users.

Most of the mentioned programs parse logfiles and then act on them. Among them are fail2ban, denyhost and a similar script, OSsec, blockhosts and a shell-based approach by Rhialto.

The latter post also mentions going the PAM way, which hooks right into the authentication framework and can detect repeated authentication failures best - at the place where they get detected first. This is implemented by the anti-bruteforce PAM module in pkgsrc/security/pam-af.

I guess that's some food for thoughts, and a lot of programs to do the job. Let's see what comes up in Jan 2008 for this topic... :-)

Update: Elad Efrat wrote me to tell that server site log parsing may not be such a good idea as it has a potential to open up for some nasty attacks, see this thread on the fulldisclosuer list. You've been warned!

[Tags: , , , , ]


Disclaimer: All opinion expressed here is purely my own. No responsibility is taken for anything.

Access count: 36183859
Copyright (c) Hubert Feyrer