On Monday 5 June 2006 17:06, Leandro Melo de Sales wrote: > Hi, > > today when I was checking the server log I got many external > attempts to connect to my sshd service: > > ... > Jun 5 05:09:45 embedded sshd[4740]: Invalid user barbara from x.y.w.z > Jun 5 05:09:46 embedded sshd[4742]: Invalid user barb from x.y.w.z > Jun 5 05:09:48 embedded sshd[4744]: Invalid user barbie from x.y.w.z > Jun 5 05:09:50 embedded sshd[4746]: Invalid user barbra from x.y.w.z > Jun 5 05:09:51 embedded sshd[4748]: Invalid user barman from x.y.w.z > Jun 5 05:09:53 embedded sshd[4750]: Invalid user barney from x.y.w.z > ... > > this seems to be a brute force attack, but one thing that worried me > is why sshd didn't disconnect the remote host after 3 unsuccessful > attemps? If we see in the log, there are many attemps with time > interval between attemps of 2 or 3 seconds meaning that the sshd > didn't disconnect the remote host after 3 attempts.
AFAIK, sshd disconnects when 3 incorrect passwords are tried _for the same account_. > So, first, Am I thinking correct about the sshd attempts? > Second, how can I setup sshd or the entire system to permit just 2 or > 3 attempts of authentication? I was checking the /etc/login.defs file > and I see the following option: > > # > # Max number of login retries if password is bad > # > LOGIN_RETRIES 3 > > but why this didn't work for the above connection attempts? See above. At the very least, you should not permit root login from ssh and choose very strong passwords for the users that are allowed to login or (better) set up public key authentication, although that is not very practical if the same users may log in from random hosts. In this case, one-time passwords could be useful (google for opie or otpw). After that, there are many things you can (and should) do. Some examples include: changing the port on which the ssh daemon listens (not a very effective solution though), using port knocking, using iptables to limit the attemps to no more than two or three per minute, use one of the many denyhosts/fail2ban/captcha modules out there, and so on. Google is your friend here. HTH -- gentoo-user@gentoo.org mailing list
