John R Pierce (pierce@hogranch.com) kirjoitteli (28.11.2008 09:49):
I need to delay failed ssh password authentication as an additional measure against brute force ssh attacks. I understand, that shoud be accomplished through pam, but googling gave me no example. I have CentOS 5.2.
I think I'd set MaxAuthTries to 2 in /etc/ssh/sshd_config (give your legit users one chance when they mistype the password), then use the iptables stuff to rate limit ssh connections from a given source IP, after a few connection attempts in < 1 minute, blacklist that IP for a half hour or something.
you don't want to set it TOO sensitive or you'll find yourself unable to open several shell windows to the same host (something I do frequently so I can have one for an edit session or running an installer or sommething, and another for man or for doing root stuff, or whatever.
Have you checked fail2ban? It's easy enough to configure, and has worked flawlessly for me for some time now. You can set it to blacklist an ip after N false tries (set "N"=3, and the user will be banned after 2 x 3 false tries [though I would assume it should ban only after 3 x 3 tries]).
Accurate logins are not counted, and you can whitelist your own ip if you like.
You will find fail2ban in the rpmforce yum-repo.
- Jussi
-- Jussi Hirvi * Green Spot Topeliuksenkatu 15 C * 00250 Helsinki * Finland Tel. & fax +358 9 493 981 * Mobile +358 40 771 2098 (only sms) jussi.hirvi@greenspot.fi * http://www.greenspot.fi