[CentOS] ssh attack

Mon Feb 13 23:12:48 UTC 2006
Barry Brimer <barry.brimer at bigfoot.com>

> I have 2 questions. One, is there anything you can do to stop these
> attempts, other than not running ssh?

I use a pam_listfile entry in /etc/pam.d/sshd that reads a file (mine is called
/etc/sshusers).  If the user requested to log in is not in the file, the
authentication attempt is rejected.  So, if I had a user named "bob" and
someone managed to sniff "bob"'s password during a cleatext protocol
authentication session, the user would not be able to log in to the ssh server
if "bob" wasn't listed in the file.  You can do the same with groups.  The main
advantage of using this method over the AllowUsers method is that this file can
be updated, and sshd does not have to be restarted to re-read the file.  You
also might look into the pam_access module.  I've used that on occasion as
well.

Hope this helps.

Barry