[CentOS] How to delay failed ssh auth
mail-lists at karan.org
Fri Nov 28 16:21:29 UTC 2008
Veiko Kukk wrote:
> I need to delay failed ssh password authentication as an additional
> measure against brute force ssh attacks. I understand, that shoud be
> accomplished through pam, but googling gave me no example. I have CentOS
pam_sheild and pam_delay are both modules you can use for stuff like
this, although I dont personally like either. If you get thousands of
hits per hour, pam's internal response time gets slowed down, and its
not insignificant unless you have exceptionally large machines.
Same thing with log watchers including denyhosts / fail2ban etc, the
overhead isnt really worth it, at the moment switching ports to
something else non-standard works well, needs no extra s/w etc.
More information about the CentOS