Protecting against ssh brute-force attacks
Neal Becker
ndbecker2 at gmail.com
Wed Nov 2 17:11:49 UTC 2005
Nicolas Mailhot wrote:
>
> On Mer 2 novembre 2005 09:23, Tomas Mraz wrote:
>> On Tue, 2005-11-01 at 20:40 -0500, Warren Togami wrote:
>
>>> I haven't tried pam_abl, but I am guessing that it reacts faster to an
>>> attack than denyhosts. The packaged denyhosts defaults to 30 seconds
>>> between log checks when in daemon mode. This is good enough, although I
>>> wonder if pam_abl is more efficient by not re-reading the logs often.
>>> (Just guessing how it works...)
>> It doesn't read the logs, it uses the information provided from the PAM
>> calls. So it reacts immediately although it means that the protected
>> service must use PAM for authentication+authorization. As SSH does it is
>> very well usable for it and I even think it was primarily designed with
>> ssh in mind.
>
> Ok one voice for denyhosts, another for pam_abl.
> Anyone tried both ? Is pam_abl easy to setup ? Will pam_abl react only to
> ssh or also lockup local connexions if someone mistypes his password too
> often ?
>
denyhosts has a big problem - it never removes entries - so hosts.deny will
grow without bounds.
I suggest daemonshield. Uses iptables, so is probably faster - does expire
entries, AND can protect more that just ssh.
More information about the fedora-extras-list
mailing list