Automatically blacklist IP after multiple SSH login failures
I'd like to protect myself against dictionary or brute force login attacks. Is there a way within OpenSSH or another package to automatically blacklist an IP address after x number of failed login attempts? Thanks, Jeff Stewart
* Jeff Stewart
I'd like to protect myself against dictionary or brute force login attacks. Is there a way within OpenSSH
Sure, get used to using RSA keys and put this to your /etc/ssh/sshd_config then: Protocol 2 RSAAuthentication yes PasswordAuthentication no
automatically blacklist an IP address after x number of failed login attempts?
that won't help, because the hacker can easily switch to another IP address. -- Johannes Franken Professional unix/network development mailto:jfranken@jfranken.de http://www.jfranken.de/
That's a good idea, but I want to be able to shell in from public computers.
Maybe instead of blocking the IP address, I should block the username from
logging in after a certain number of tries.
-----Original Message-----
From: Johannes Franken [mailto:jfranken@jfranken.de]
Sent: Thursday, August 08, 2002 3:51 PM
To: suse-security@suse.com
Subject: [suse-security] Re: Automatically blacklist IP after multiple
SSH login failures
* Jeff Stewart
I'd like to protect myself against dictionary or brute force login attacks. Is there a way within OpenSSH
Sure, get used to using RSA keys and put this to your /etc/ssh/sshd_config then: Protocol 2 RSAAuthentication yes PasswordAuthentication no
automatically blacklist an IP address after x number of failed login attempts?
that won't help, because the hacker can easily switch to another IP address.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Am Donnerstag, 8. August 2002 22:01 schrieb Jeff Stewart:
That's a good idea, but I want to be able to shell in from public computers. Maybe instead of blocking the IP address, I should block the username from logging in after a certain number of tries.
This idea is even worse, as it leads to an easy DoS: If I know your box' IP, I simply connect a couple of times with your login - and afterwards, you're no longer able to connect. Bastian - -- Bastian Friedrich bastian@bastian-friedrich.de Adress & Fon available on my HP http://www.bastian-friedrich.de/ \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ \ Fachbegriffe der Informatik - 117: "Las Vegas" \ Mekka fuer experimentelle Statistik \ Jens Hoffmann -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9Uvielbo7EtEt1mYRAh0kAJ4qI7i6UoJKdwNi0Wl5IAv7YWejPACfY2QI DaS0kPkqLisMO4NihSIEfWU= =GpPO -----END PGP SIGNATURE-----
Bastian Friedrich wrote:
Am Donnerstag, 8. August 2002 22:01 schrieb Jeff Stewart:
That's a good idea, but I want to be able to shell in from public computers. Maybe instead of blocking the IP address, I should block the username from logging in after a certain number of tries.
This idea is even worse, as it leads to an easy DoS: If I know your box' IP, I simply connect a couple of times with your login - and afterwards, you're no longer able to connect.
No, you don't. If you spoof the IP, you wouldn't be able to get past the TCP handshake. If you don't have a connection, you couldn't send a wrong password and so you're unable to lock him out. It would be possible if you are in control of the public sites router, but not for everyone. Peter
* Peter Wiersig wrote on Fri, Aug 09, 2002 at 09:44 +0200:
Bastian Friedrich wrote:
Am Donnerstag, 8. August 2002 22:01 schrieb Jeff Stewart:
That's a good idea, but I want to be able to shell in from public computers. Maybe instead of blocking the IP address, I should block the username from logging in after a certain number of tries.
This idea is even worse, as it leads to an easy DoS: If I know your box' IP, I simply connect a couple of times with your login - and afterwards, you're no longer able to connect.
No, you don't. If you spoof the IP, you wouldn't be able to get past the TCP handshake.
He said, "*instead* of blocking the IP address, I should block blocking the IP address, I should block the username". And for IP: I wouldn't rely to the sequence number to be safe, finnally it's only a 32 bit value and not as strong as an RSA key. IP is not for security, SSH keys are made for this! I suggest to put the key on a floppy disk with a good passphrase and disallow password auth. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (5)
-
Bastian Friedrich
-
Jeff Stewart
-
Johannes Franken
-
Peter Wiersig
-
Steffen Dettmer