You are not logged in.
openssh & opensshd are awesome and bring a lot of useful features.
One thing that bogs my mind however: why don't they build in some sort of brute force protection?
surely there are settings like MaxAuthTries and MaxSessions but afaik they do not help slowing down/stopping brute force attacks because you can just start new sessions/connections.
i know a lot of people (including yours truly) who use tools like denyhosts and fail2ban but wouldn't it make sense to have a setting that limits the amount of tries per minute per ip/username ?
< Daenyth> and he works prolifically
4 8 15 16 23 42
Offline
Iptables can do that, and since most boxes running SSH would be running iptables too (at least that's my guess), why provide functionality that is implemented by something else already?
Got Leenucks? :: Arch: Power in simplicity :: Get Counted! Registered Linux User #392717 :: Blog thingy
Offline
with iptables, can you do the limiting on a per-ip basis?
So that when someone else is bruteforcing your box, you can still login yourself?
< Daenyth> and he works prolifically
4 8 15 16 23 42
Offline
Iptables can base rules on IPs afaik, so I don't see why.
-s <ip-address> Match source IP address
You might need an extra module to achieve this (I thought snowman had written something like this and it should now be in the official codebase), since it's kind of dynamic.
Got Leenucks? :: Arch: Power in simplicity :: Get Counted! Registered Linux User #392717 :: Blog thingy
Offline
There's an app in the AUR called sshdfilter. Haven't used it much though. That might be something your lookin for.
Offline
Iptables can base rules on IPs afaik, so I don't see why.
-s <ip-address> Match source IP address
You might need an extra module to achieve this (I thought snowman had written something like this and it should now be in the official codebase), since it's kind of dynamic.
with this way you explicitly specify an ip. i was wondering for a way to rate limit on a per-ip basis without knowing the ip's on the beforehand.
There's an app in the AUR called sshdfilter. Haven't used it much though. That might be something your lookin for.
like i said, i already use denyhosts. i was just thinking it would be nice to do it without an app tailing logfiles.
< Daenyth> and he works prolifically
4 8 15 16 23 42
Offline
Dieter: true. You can use iptables' recent module to block recurring attempts but it can't discern between successful and failed connections afaik.
Got Leenucks? :: Arch: Power in simplicity :: Get Counted! Registered Linux User #392717 :: Blog thingy
Offline
You can also use the 'limit' module:
-A INPUT -m limit --limit 10/minute --limit-burst 16 -p tcp --dport 22 -j ACCEPT
Tweak the numbers to suit your usage of course
To whitelist your own IP addresses, just put an ACCEPT based on source IP above this rule:
-A INPUT -s x.y.z.b -p tcp --dport 22 -j ACCEPT
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline