Passing password in ssh

Mark Haney mhaney at ercbroadband.org
Thu Jan 24 13:15:38 UTC 2008 

John Summerfield wrote:
> Aldo Foot wrote:
> 
>>
>> I have a couple of questions:
>>
>> 1. If you use the connection/hour limit scheme does it mean you don't
>>     use tcpwrappers and you only rely on user/password for authorization?
> 
> tcpwrappers doesn't do anything I need that I can't also do with netfilter.
>>
>> 2. Is this what you use to configure five ssh connections per hour?
>>     #tcplimit 22 5 hour on
> ?? I don't ken that.
> from iptables-save:
> 
> -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m limit 
> --limit 5/hour -j LOG --log-
> prefix "SSH connexion "
> -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m limit 
> --limit 5/hour -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j LOG --log-prefix "SSH 
> connexion attack dropped "
> -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j DROP
> 
> 
> Here's a logwatch summary:
> Dropped 293 packets on interface eth0
>   From 89.149.217.67 - 5 packets to tcp(22)
>   From 116.38.112.245 - 4 packets to tcp(22)
>   From 124.128.250.178 - 26 packets to tcp(22)
>   From 128.135.130.42 - 1 packet to tcp(22)
>   From 202.106.62.148 - 42 packets to tcp(22)
>   From 203.94.8.149 - 28 packets to tcp(22)
>   From 203.153.36.4 - 25 packets to tcp(22)
>   From 203.174.48.70 - 28 packets to tcp(22)
>   From 210.212.249.165 - 1 packet to tcp(22)
>   From 219.239.218.162 - 27 packets to tcp(22)
>   From 220.177.248.174 - 28 packets to tcp(22)
>   From 221.13.10.139 - 78 packets to tcp(22)
> 
> Logged 27 packets on interface eth0
>   From 89.149.217.67 - 2 packets to tcp(22)
>   From 116.38.112.245 - 2 packets to tcp(22)
>   From 124.128.250.178 - 2 packets to tcp(22)
>   From 128.135.130.42 - 1 packet to tcp(22)
>   From 202.106.62.148 - 3 packets to tcp(22)
>   From 203.94.8.149 - 2 packets to tcp(22)
>   From 203.153.36.4 - 2 packets to tcp(22)
>   From 203.174.48.70 - 2 packets to tcp(22)
>   From 219.239.218.162 - 2 packets to tcp(22)
>   From 220.177.248.174 - 2 packets to tcp(22)
>   From 221.13.10.139 - 7 packets to tcp(22)
> 
> I am more liberal with connexions from locations I may visit; I don't 
> rate-limit or log.
> 
> It would take some time or improbable luck for someone to crack a 
> password, even a weak one, at the rate of attempts I see.
> 
> Note too that this is my second access control; I run shorewall on the 
> Internet gateway, and that blocks great gobs of people who've offended 
> me. Mostly, when folk get past my antispam I do a whois search and block 
>  _at_ least a /24 network, sometimes a /13. Those, I block smtp, imap 
> (we don't run pop) and ssh.
> 
> 
> 

OSSEC can do that same thing for you automatically based on IP address 
of the attacker as well.


-- 
Libenter homines id quod volunt credunt -- Caius Julius Caesar


Mark Haney
Sr. Systems Administrator
ERC Broadband
(828) 350-2415

Call (866) ERC-7110 for after hours support

More information about the fedora-list mailing list