You are not logged in.

#1 2009-10-05 11:27:25

Dieter@be
Forum Fellow
From: Belgium
Registered: 2006-11-05
Posts: 2,000
Website

[open]sshd built-in brute force protection?

openssh & opensshd are awesome and bring a lot of useful features.

One thing that bogs my mind however: why don't they build in some sort of brute force protection?
surely there are settings like MaxAuthTries and MaxSessions but afaik they do not help slowing down/stopping brute force attacks because you can just start new sessions/connections.

i know a lot of people (including yours truly) who use tools like denyhosts and fail2ban but wouldn't it make sense to have a setting that limits the amount of tries per minute per ip/username ?


< Daenyth> and he works prolifically
4 8 15 16 23 42

Offline

#2 2009-10-05 11:35:05

.:B:.
Forum Fellow
Registered: 2006-11-26
Posts: 5,819
Website

Re: [open]sshd built-in brute force protection?

Iptables can do that, and since most boxes running SSH would be running iptables too (at least that's my guess), why provide functionality that is implemented by something else already?


Got Leenucks? :: Arch: Power in simplicity :: Get Counted! Registered Linux User #392717 :: Blog thingy

Offline

#3 2009-10-05 11:37:54

Dieter@be
Forum Fellow
From: Belgium
Registered: 2006-11-05
Posts: 2,000
Website

Re: [open]sshd built-in brute force protection?

with iptables, can you do the limiting on a per-ip basis?
So that when someone else is bruteforcing your box, you can still login yourself?


< Daenyth> and he works prolifically
4 8 15 16 23 42

Offline

#4 2009-10-05 11:39:50

.:B:.
Forum Fellow
Registered: 2006-11-26
Posts: 5,819
Website

Re: [open]sshd built-in brute force protection?

Iptables can base rules on IPs afaik, so I don't see why.

-s <ip-address>    Match source IP address

You might need an extra module to achieve this (I thought snowman had written something like this and it should now be in the official codebase), since it's kind of dynamic.


Got Leenucks? :: Arch: Power in simplicity :: Get Counted! Registered Linux User #392717 :: Blog thingy

Offline

#5 2009-10-05 15:45:53

brenix
Member
From: California
Registered: 2008-03-05
Posts: 185

Re: [open]sshd built-in brute force protection?

There's an app in the AUR called sshdfilter. Haven't used it much though. That might be something your lookin for.

Offline

#6 2009-10-05 16:55:35

Dieter@be
Forum Fellow
From: Belgium
Registered: 2006-11-05
Posts: 2,000
Website

Re: [open]sshd built-in brute force protection?

B wrote:

Iptables can base rules on IPs afaik, so I don't see why.

-s <ip-address>    Match source IP address

You might need an extra module to achieve this (I thought snowman had written something like this and it should now be in the official codebase), since it's kind of dynamic.

with this way you explicitly specify an ip. i was wondering for a way to rate limit on a per-ip basis without knowing the ip's on the beforehand.

brenix wrote:

There's an app in the AUR called sshdfilter. Haven't used it much though. That might be something your lookin for.

like i said, i already use denyhosts.  i was just thinking it would be nice to do it without an app tailing logfiles.


< Daenyth> and he works prolifically
4 8 15 16 23 42

Offline

#7 2009-10-05 17:58:40

.:B:.
Forum Fellow
Registered: 2006-11-26
Posts: 5,819
Website

Re: [open]sshd built-in brute force protection?

Dieter: true. You can use iptables' recent module to block recurring attempts but it can't discern between successful and failed connections afaik.


Got Leenucks? :: Arch: Power in simplicity :: Get Counted! Registered Linux User #392717 :: Blog thingy

Offline

#8 2009-10-05 21:56:19

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: [open]sshd built-in brute force protection?

You can also use the 'limit' module:

-A INPUT -m limit --limit 10/minute --limit-burst 16 -p tcp --dport 22 -j ACCEPT

Tweak the numbers to suit your usage of course tongue

To whitelist your own IP addresses, just put an ACCEPT based on source IP above this rule:

-A INPUT -s x.y.z.b -p tcp --dport 22 -j ACCEPT

Offline

Board footer

Powered by FluxBB