Secure Shell
a GOOD idea to harden OpenSSH! Mar 30 2011 07:19PM
nagygabor88 (nagygabor88 zoho com) (3 replies)
RE: a GOOD idea to harden OpenSSH! Mar 31 2011 07:39PM
Ward, Jon (Jon_Ward syntelinc com) (1 replies)
Re: a GOOD idea to harden OpenSSH! Apr 02 2011 10:37PM
Eric Jaw (naisanza gmail com)
Re: a GOOD idea to harden OpenSSH! Mar 31 2011 06:24PM
Joseph Spenner (joseph85750 yahoo com) (1 replies)
Re: a GOOD idea to harden OpenSSH! Apr 03 2011 07:17PM
Lamont Granquist (lamont scriptkiddie org) (1 replies)

you can already use fail2ban to accomplish this kind of thing.

the original idea i think is somewhat terrible in a multi-user
enterprise-y kind of environment since you'll wind up telling users that
they have to wait 2 seconds before entering their passphrase
constantly. for your home server it might work, but you can always
setup public keys or OTP pretty easily as well, in addition to fail2ban.

you can also use pam_tally to only allow 6 failed passwords in a row
before locking the account. i run the cronjob to unlock all the
accounts every 30 mins or so, which only allows a velocity of 12 guess
per hour on a single account, while not requiring users with locked
accounts to call up a helpdesk.

On 3/31/11 11:24 AM, Joseph Spenner wrote:
> --- On Wed, 3/30/11, nagygabor88<nagygabor88 (at) zoho (dot) com [email concealed]> wrote:
>
>> From: nagygabor88<nagygabor88 (at) zoho (dot) com [email concealed]>
>> Subject: a GOOD idea to harden OpenSSH!
>> To: "OpenSSH list"<secureshell (at) securityfocus (dot) com [email concealed]>
>> Date: Wednesday, March 30, 2011, 12:19 PM
>>
>>
>> if a user wants to connect to an ssh server then he have to
>> wait a couple of seconds, then he can write his passphare.
>> the "couple of seconds" is defined in the sshd config,
>> e.g.: 2 seconds
>> the method musn't show that the user have to wait 2 seconds
>> to write his passphare.
>>
> This can already be similarly done using iptables, with entries such as:
> $IPTABLES -N SSH_CHECK
> $IPTABLES -I INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
> $IPTABLES -A SSH_CHECK -m recent --set --name SSH
> $IPTABLES -A SSH_CHECK -m recent --update --seconds 180 --hitcount 5 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
> $IPTABLES -A SSH_CHECK -m recent --update --seconds 180 --hitcount 5 --rttl --name SSH -j DROP
>
> What this does: If I get more than 5 hits within 180 seconds, block them for 180 seconds.
>
>

[ reply ]
Re: a GOOD idea to harden OpenSSH! Apr 06 2011 03:30AM
Mike Ramirez (gufymike gmail com)
Re: a GOOD idea to harden OpenSSH! Mar 31 2011 06:20PM
Christian Grunfeld (christian grunfeld gmail com) (1 replies)
Re: a GOOD idea to harden OpenSSH! Apr 02 2011 11:57AM
Aaron Toponce (aaron toponce gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus