[CentOS] protecting multiuser systems from bruteforce ssh attacks

Fri Aug 21 14:12:25 UTC 2009
J.Witvliet at MINDEF.NL

Eugene Vilensky


Behalf Of Eugene Vilensky
What is the best way to protect multiuser systems from brute force
attacks?  I am setting up a relatively loose DenyHosts policy, but I
like the idea of locking an account for a time if too many attempts are
made, but to balance this with keeping the user from making a helpdesk
What are some policies/techniques that have worked for this list with
minimal hassle?

Hi Eugene,

Depends on the number of users (as you mentioned "mutisuser" ) And how
strong you want your system to be protected.
If its not a couple of thousands, i would suggest:
Disabling password-login alltogether, and use keys only.

On the other hand, you can also demand that all connection must be made
by using a vpn-connection (openvpn/ipsec). 
After that you can be assured that any attempt is from a local user.

Both are a much stronger protection than allow/deny or


