On Thu, 21 Aug 2008 16:58:45 +0200, Michael Tautschnig writes: >> * use a Firewall to prevent other IP address to connect to your ssh >> service. restrict just to yours (iptables script can be easy to find on >> the web) >Well, I should have added that my hosts must be world-wide accessible using >password-based authentication, so this is no option.
i'm using pam_recent to toss out the obvious fakers after a few missed attempts. that way i still have the capability for password authentication but without having to keep track of acceptable source ips and similar hassle. how does it work? my iptables setup allows only a very limited number of new ssh connections per time period, after which it blocks new conns (simple application of the "recent match" module). to let legitimate users through without limitations i use my pam_recent helper: this is a tiny pam session module which removes the ipt_recent entry for the given peer ip address. hence every time somebody manages to login cleanly they get another set of new conns allowed, while the bruteforcers get blocked after a few unsuccessful attempts. the main benefit over fail2ban and similar is that a pam_recent setup needs no log tailing, no dynamic iptables rules, databases or similar. details and code: http://snafu.priv.at/mystuff/recent-plus-pam.html regards az -- + Alexander Zangerl + DSA 42BD645D + (RSA 5B586291) Fachbegriffe der Informatik, CIDR: Die dezimale Quersumme der binären Repräsentation der Netzmaske. -- Aldo
signature.asc
Description: Digital Signature
