[CentOS] How to delay failed ssh auth

Fri Nov 28 10:30:10 UTC 2008
Jussi Hirvi <greenspot at greenspot.fi>

John R Pierce (pierce at hogranch.com) kirjoitteli (28.11.2008 09:49):
>> I need to delay failed ssh password authentication as an additional
>> measure against brute force ssh attacks. I understand, that shoud be
>> accomplished through pam, but googling gave me no example. I have
>> CentOS 5.2.
> 
> I think I'd set MaxAuthTries to 2 in /etc/ssh/sshd_config (give your
> legit users one chance when they mistype the password), then use the
> iptables stuff to rate limit ssh connections from a  given source IP,
> after a few connection attempts in < 1 minute, blacklist that IP for a
> half hour or something.
> 
> 
> you don't want to set it TOO sensitive or you'll find yourself unable to
> open several shell windows to the same host (something I do frequently
> so I can have one for an edit session or running an installer or
> sommething, and another for man or for doing root stuff, or whatever.

Have you checked fail2ban? It's easy enough to configure, and has worked
flawlessly for me for some time now. You can set it to blacklist an ip after
N false tries (set "N"=3, and the user will be banned after 2 x 3 false
tries [though I would assume it should ban only after 3 x 3 tries]).

Accurate logins are not counted, and you can whitelist your own ip if you
like. 

You will find fail2ban in the rpmforce yum-repo.

- Jussi

--
Jussi Hirvi * Green Spot
Topeliuksenkatu 15 C * 00250 Helsinki * Finland
Tel. & fax +358 9 493 981 * Mobile +358 40 771 2098 (only sms)
jussi.hirvi at greenspot.fi * http://www.greenspot.fi