Protecting SSH from brute force attacks
Daniel Bye
dan at slighytlystrange.org
Fri Oct 8 03:25:15 PDT 2004
On Fri, 8 October, 2004 8:44 am, spam maps said:
> Vulpes Velox wrote:
>> On Thu, 7 Oct 2004 15:15:25 -0700 (PDT) Luke <luked at pobox.com> wrote:
>>
>>> There are several script kiddies out there hitting my SSH server
>>> every day. Sometimes they attempt to brute-force their way in
>>
>> man login.conf for more info :)
>
> I'm just guessing, but are you trying to tell me that "login-retries" in
> login.conf is useful?
>
> I have tried that by setting it to 2, but it seems to have no effect on
> the sshd login behaviour. I always can try the password 6 times:
>
> $ ssh myname at my.own.pc
> Password:
> Password:
> Password:
> myname at my.own.pc's password:
> Permission denied, please try again.
> myname at my.own.pc's password:
> Permission denied, please try again.
> myname at my.own.pc's password:
> Permission denied (publickey,password,keyboard-interactive).
> $
>
> So could you be a little more specific as to where login.conf is of help
> here?
This is still only one *connection* - sshd will offer you (or anyone else
who can connect) a certain number of chances to prove your identity.
Login.conf can't help with this. You can configure sshd to stop offering
the keyboard-interactive auth method - set
ChallengeResponseAuthentication no
in /etc/ssh/sshd_config and HUP the daemon. You will no longer see the
first three Password: prompts.
Login.conf can help you to limit the number of successive login attempts.
Make sure you run "cap_mkdb /etc/login.conf" whenever you edit the file,
or you will not enable your changes.
Dan
--
Daniel Bye
PGP Key: ftp://ftp.slightlystrange.org/pgpkey/dan.asc
PGP Key fingerprint: 3B9D 8BBB EB03 BA83 5DB4 3B88 86FC F03A 90A1 BE8F
_
ASCII ribbon campaign ( )
- against HTML, vCards and X
- proprietary attachments in e-mail / \
More information about the freebsd-questions
mailing list