Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
September 27, 2005, 9:24 pm
rate this thread
I am preferably a linux guy but I've had extensive experience working
with FreeBSD and the default set up with FreeBSD was that if you try to
log in on the console several times sequentially and you fail it takes
longer and longer until the next "type in password" prompt comes in. I
really like this security feature to be available for ssh because if
some script kiddie is trying to hack me the more they try to slower
they will progress with their dictionary attack.
Is there a way to do this with ssh? I looked through the docs and
didn't find any option that would enable this.
If any of you knows how to do this please share with us!
Re: takes longer and longer for next prompt to come with every unsuccessful login attempt
It won't make any difference to the current crop of ssh-based worms,
though. Most seem to make only one password auth request then disconnect.
Some form of connection rate limiting would help. (I think iptables can
do this. OpenBSD's pf can).
Most Linux distros build sshd with PAM, so you'll need to configure PAM
to do it. See the LinuxPAM docs for pam_fail_delay() and
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
- » wrapper script to use cvs/scp through a ssh gateway
- — Next thread in » Secure Shell Forum
- » syslog from Solaris via ssh to Linux syslog server
- — Previous thread in » Secure Shell Forum
- » ssh on command line: force using a group size (prime size) of 1024 (and no...
- — Newest thread in » Secure Shell Forum