[clue-admin] More server security stuff

Jed S. Baer thag at frii.com
Sat Mar 26 19:25:00 MST 2005 

You recall earlier this month Greg Knaddison posted the following
suggestion to CLUE-Tech

"I added sshd to list of xinetd process, and limited maximum consecutive
connections to 3 per host. it stops the dictionary scripts after 3rd
attempt.."

Our server is still getting pounded with ssh login attempts. Mostly for
root, which is disabled. But I don't see any reason not to make things
harder for the kiddies, so I started looking for a sample xinetd config
file for ssh. I still need to do some more reading, but here's one I've
found, which didn't contain such a restriction, but I've added lines which
might do the trick, if I understand the manpage correctly.

service ssh
{
         socket_type = stream
         wait = no
         user = root
         server = /usr/sbin/sshd
         #It's not listed in my /etc/services
         port = 22
         server_args = -i
         log_on_failure = ATTEMPT HOST RECORD
# begin "throttling" section
    instances = 10  # max instances of the server
    per_source = 3 # max per IP address
    cps = 10 30 # connections per second, reset after 30
    access_times = 06:00-23:59 00:00-01:00
}

My concern is that the script kiddies or crackers can succeed in shutting
down legitimate access to the machine by continuing to beat on sshd. I
found no xinetd options which specifically limit, as Greg's quote put it
"consecutive connections per host". I don't know if anyone wants to be
able to login between 1 and 6 AM -- maybe that's overkill.

There's another possible approach, which I found at
<http://aplawrence.com/Blog/B1117.html>, is similar in that it throttles
connections based on persistence of attempts, but doesn't involve xinetd.
Additionally, there's a PAM config section which looks interesting.

Any suggestions appreciated.
jed
-- 
http://s88369986.onlinehome.us/freedomsight/
Key fingerprint = B027 FEFB 4281 CC72 67D1  4237 F2D0 D356 077A A30E
... it is poor civic hygiene to install technologies that could someday
facilitate a police state. -- Bruce Schneier

More information about the clue-admin mailing list