[CentOS] protecting multiuser systems from bruteforce ssh attacks

Thu Aug 20 20:30:04 UTC 2009
Ron Loftin <reloftin at twcny.rr.com>

On Thu, 2009-08-20 at 15:14 -0500, Eugene Vilensky wrote:
> Hello,
> 
> What is the best way to protect multiuser systems from brute force
> attacks?  I am setting up a relatively loose DenyHosts policy, but I
> like the idea of locking an account for a time if too many attempts
> are made, but to balance this with keeping the user from making a
> helpdesk call.

Along with DenyHosts, consider the SSH server options "AllowGroups" and
"AllowUsers" to specify the users/groups allowed to connect.  My
experience is that this will deal with the majority of brute-force
attacks, since many of these target "known" user accounts ( "root",
"daemon", etc. ) as well as "common names" ( joe, jane, etc. ).

If an attempt is made to log in with a user name not specified by the
"AllowGroups" or "AllowUsers" options, the ssh server will reject it as
an "invalid user" and throw the connection on the floor, which seems to
lighten the load for DenyHosts.  Refer to "man sshd_config" for more
info.

For myself, with a pretty small user population, I just create a group
called "sshusers" ( of course, the name can be whatever you choose ) and
put users in that group who need SSH access from outside.

As always, YMMV. ;>

> 
> What are some policies/techniques that have worked for this list with
> minimal hassle?
> 
> Thanks!
> 
> -Eugene
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
-- 
Ron Loftin                      reloftin at twcny.rr.com

"God, root, what is difference ?"       Piter from UserFriendly