Re: help? fighting ssh user/password guessing attempts

To: "Thomas Feddersen" <thomas.feddersen%t-online.de@localhost>
Subject: Re: help? fighting ssh user/password guessing attempts
From: "Volkmar Seifert" <vs%nifelheim.info@localhost>
Date: Thu, 16 Oct 2008 11:09:24 +0200 (CEST)

> Out of curiosity I'd like to come back to my initial question above: Does
> anybody have experience or further reading about NetBSD firewall and the
> PAM system? Installing the PAM-af package was easy, but it's obviously not
> working. How do I start it? I assume the relevant files are located in
> /etc/pam.d/, but I'm reluctant to change the anything without deper
> understanding - for fear that my attempt to fix a problem may open a
> security hole.

You should be aware that you need to enable the usage of PAM within the
/etc/ssh/sshd_config (UsePAM yes|no). Sadly, the man-pages of SSH in
NetBSD do not mention this.
Here is an excerpt of a SSH-manpage I have from another system:

<snip>

UsePAM

Enables the Pluggable Authentication Module interface.  If set to ``yes''
this will enable PAM authentication using ChallengeResponseAuthentication
and PAM account and session module processing for all authentication
types.

Because PAM challenge-response authentication usually serves an equivalent
role to password authentication, you should disable either
PasswordAuthentication or ChallengeResponseAuthentication.

If UsePAM is enabled, you will not be able to run sshd(8) as a non-root
user.  The default is ``no''.

</snip>

PAM is automatically installed with NetBSD nowadays, so all you -should-
need to do is to enable it within the sshd_config, and may be edit the
/etc/pam.d/sshd-file appropriately.

How pam-af is brought to work, I cannot say. I have no experiences with
it, since I have never used it. All I can say is, it needs to be inserted
into /etc/pam.d/sshd, probably with a line like this one:

auth            required         pam_af    no_warn

How it can be told whether to call pf, ipf or whatever
packetfilter-cli-tool to use, I cannot say.

Information about pam-af seems a bit thin.

I hope this was helpful in regard of your original question.

(denyhosts looks a bit easier to me, since you neither need a packetfilter
nor pam, and /etc/hosts.deny and tcpwrappers exists on your system anyway,
and transparently so.)

- Volkmar

-- 
http://blog.nifelheim.info/tech

Follow-Ups:
- Re: help? fighting ssh user/password guessing attempts
  - From: Rhialto
- Re: help? fighting ssh user/password guessing attempts
  - From: Ingbert Meyer

References:
- help? fighting ssh user/password guessing attempts
  - From: Thomas Feddersen
- Re: help? fighting ssh user/password guessing attempts
  - From: Thomas Feddersen

Prev by Date: Re: help? fighting ssh user/password guessing attempts
Next by Date: Re: help? fighting ssh user/password guessing attempts
Previous by Thread: Re: help? fighting ssh user/password guessing attempts
Next by Thread: Re: help? fighting ssh user/password guessing attempts
Indexes:

Home | Main Index | Thread Index | Old Index