• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Linux Security Experts

Seems like a fine idea, thought I wonder how often it really comes up. I see plenty of drive-by attacks in the logs, but never noticed a genuine brute-force attempt. Probably depends on who/where you are.

If you really wanted to get serious though, wouldn't you just disable password authentication altogether and use public key authentication?

(Disclaimer: not a Linux security expert 😉 )
 
Perhaps I should look into using PKA, but I like the idea of me being able to log in from anywhere I have ssh available, and PKA would pretty much kill that.

Joe
 
The idea in the article isn't a bad one but it only covers port 22 and you'd need one set of rules per port that you want to protect, unless you don't mind them all sharing the same timing pool. If you have strong enough passwords or PKA the main advantage to those rules would be cleaner logs.

Perhaps I should look into using PKA, but I like the idea of me being able to log in from anywhere I have ssh available, and PKA would pretty much kill that.
Click to expand...

PKA wouldn't kill that if you just carried around a flash drive with your key on it.
 
While working at an ISP we saw lots of brute force attacks in the logs. We ended up installing denyhosts. Basically if someone attempts an SSH log in and gets it wrong 5 times (or whatever number you set) their IP gets added to /etc/hosts.deny to block them from SSH access (or ANY access if you want).

We'd have betting pools on how many new IPs would get added over the weekends sometimes.
 
I employ strong passwords, no root login, and used keys for any automated operations.
Since I don't run SSH servers for anyone else's convenience, I use a nonstandard port.
since the port change, my logs have no failed login attempts save my own ham-fisted ones.
 
I use a perl script called sshblack that monitors my auth logs for failures, if three failures are detected from an ip address, an iptables rule is added to drop all packets from that IP address for 3 days. The other option is to use multifactor auth (something you have AND something you know) It is also good practice to disable root logins over ssh (PermitRootLogin no) that way an attacker would have to guess the user AND the password instead of just the password
 
Originally posted by: child of wonder
While working at an ISP we saw lots of brute force attacks in the logs. We ended up installing denyhosts. Basically if someone attempts an SSH log in and gets it wrong 5 times (or whatever number you set) their IP gets added to /etc/hosts.deny to block them from SSH access (or ANY access if you want).

We'd have betting pools on how many new IPs would get added over the weekends sometimes.
Click to expand...

/etc/hosts.deny only applies to services that are run through inetd (or xinetd) usually ssh is run as a daemon by init so adding rules to /etc/hosts.deny won't do much for you.

Also Netopia, the key on the USB is a great idea and true multi-factor authentication (a sox requirement for remote access) and not difficult to set up!
 
/etc/hosts.deny only applies to services that are run through inetd (or xinetd) usually ssh is run as a daemon by init so adding rules to /etc/hosts.deny won't do much for you.
Click to expand...

That's not true at all, anything linked against TCP wrappers (libwrap) uses /etc/hosts.*.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top