[20070116]
|
More fighting ssh password guessing attempts (Updated)
About one year ago (coincidence?) there was some discussion about
how to protect your server against ssh password guessing, see
elsewhere in my blog.
Apparently the topic came up
again,
for ssh and other services this time,
and quite a number of people chimed in and mentioned their preferred
solutions to the same old problem. Solutions fall into three categories:
administrative settings, logfile-parsing, and PAM-based solutions.
Administrative policies to
using password-less ssh logins only is something that needs some adjusting
from users.
Most of the mentioned programs parse logfiles and then act on them.
Among them are
fail2ban,
denyhost and
a similar script,
OSsec,
blockhosts and
a shell-based approach by Rhialto.
The latter post also mentions going the PAM way, which hooks right
into the authentication framework and can detect repeated authentication
failures best - at the place where they get detected first. This is implemented by
the anti-bruteforce PAM module in pkgsrc/security/pam-af.
I guess that's some food for thoughts, and a lot of programs to do the job.
Let's see what comes up in Jan 2008 for this topic... :-)
Update:
Elad Efrat wrote me to tell that server site log parsing may not
be such a good idea as it has a potential to open up for some nasty attacks,
see this thread on the fulldisclosuer list. You've been warned!
[Tags: ids, ipfilter, networking, Security, ssh]
|