[BlueOnyx:11949] Re: Blocking brute force SSH login attempts
George F. Nemeyer
tigerwolf at tigerden.com
Wed Jan 9 09:38:55 -05 2013
On Wed, 9 Jan 2013, James wrote:
> Is there a simple way in BlueOnyx to auto-block hosts that fail to login via
> SSH too many times? Something similar to the Failed Logins settings for the
> BlueOnyx login page but for SSH?
Supposedly, pam_abl will impose a temporary limit that can be configured.
Pam_abl will impose a block after so many failure attempts, and the block
remains for some set amount of time to discourage massive brute force
attacks.
However, I can't tell you how to set it up as I've found pam to be an
utterly arcane, insanely convoluted, and terribly *fragile* collection of
rules that easily break things you don't intend.
If somebody could provide, or point to, a simple tutorial on how it works,
that would be good.
"Denyhosts" will also do the job. It works by scanning the logs after
the fact, then tosses those sources with too many failed attempts into the
/etc/hosts.deny file. I think it can also be configured to remove them
after a time, but if someplace is pounding on us, I'd just as soon never
see them again. However, "Denyhosts" works services launched by xinetd,
so isn't very compatible with a pam-based system since pam does it's own
thing...thus the 'fragile' comment above.
=^_^= Tigerwolf
More information about the Blueonyx
mailing list