[clue-admin] More server security stuff
Jed S. Baer
thag at frii.com
Sat Mar 26 19:25:00 MST 2005
You recall earlier this month Greg Knaddison posted the following
suggestion to CLUE-Tech
"I added sshd to list of xinetd process, and limited maximum consecutive
connections to 3 per host. it stops the dictionary scripts after 3rd
attempt.."
Our server is still getting pounded with ssh login attempts. Mostly for
root, which is disabled. But I don't see any reason not to make things
harder for the kiddies, so I started looking for a sample xinetd config
file for ssh. I still need to do some more reading, but here's one I've
found, which didn't contain such a restriction, but I've added lines which
might do the trick, if I understand the manpage correctly.
service ssh
{
socket_type = stream
wait = no
user = root
server = /usr/sbin/sshd
#It's not listed in my /etc/services
port = 22
server_args = -i
log_on_failure = ATTEMPT HOST RECORD
# begin "throttling" section
instances = 10 # max instances of the server
per_source = 3 # max per IP address
cps = 10 30 # connections per second, reset after 30
access_times = 06:00-23:59 00:00-01:00
}
My concern is that the script kiddies or crackers can succeed in shutting
down legitimate access to the machine by continuing to beat on sshd. I
found no xinetd options which specifically limit, as Greg's quote put it
"consecutive connections per host". I don't know if anyone wants to be
able to login between 1 and 6 AM -- maybe that's overkill.
There's another possible approach, which I found at
<http://aplawrence.com/Blog/B1117.html>, is similar in that it throttles
connections based on persistence of attempts, but doesn't involve xinetd.
Additionally, there's a PAM config section which looks interesting.
Any suggestions appreciated.
jed
--
http://s88369986.onlinehome.us/freedomsight/
Key fingerprint = B027 FEFB 4281 CC72 67D1 4237 F2D0 D356 077A A30E
... it is poor civic hygiene to install technologies that could someday
facilitate a police state. -- Bruce Schneier
More information about the clue-admin
mailing list