NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: help? fighting ssh user/password guessing attempts



Volkmar Seifert wrote:
Out of curiosity I'd like to come back to my initial question above: Does
anybody have experience or further reading about NetBSD firewall and the
PAM system? Installing the PAM-af package was easy, but it's obviously not
working. How do I start it? I assume the relevant files are located in
/etc/pam.d/, but I'm reluctant to change the anything without deper
understanding - for fear that my attempt to fix a problem may open a
security hole.

You should be aware that you need to enable the usage of PAM within the
/etc/ssh/sshd_config (UsePAM yes|no). Sadly, the man-pages of SSH in
NetBSD do not mention this.
Here is an excerpt of a SSH-manpage I have from another system:

<snip>

UsePAM

Enables the Pluggable Authentication Module interface.  If set to ``yes''
this will enable PAM authentication using ChallengeResponseAuthentication
and PAM account and session module processing for all authentication
types.

Because PAM challenge-response authentication usually serves an equivalent
role to password authentication, you should disable either
PasswordAuthentication or ChallengeResponseAuthentication.

If UsePAM is enabled, you will not be able to run sshd(8) as a non-root
user.  The default is ``no''.

</snip>

PAM is automatically installed with NetBSD nowadays, so all you -should-
need to do is to enable it within the sshd_config, and may be edit the
/etc/pam.d/sshd-file appropriately.

How pam-af is brought to work, I cannot say. I have no experiences with
it, since I have never used it. All I can say is, it needs to be inserted
into /etc/pam.d/sshd, probably with a line like this one:

auth            required         pam_af    no_warn

How it can be told whether to call pf, ipf or whatever
packetfilter-cli-tool to use, I cannot say.

Information about pam-af seems a bit thin.

I hope this was helpful in regard of your original question.

(denyhosts looks a bit easier to me, since you neither need a packetfilter
nor pam, and /etc/hosts.deny and tcpwrappers exists on your system anyway,
and transparently so.)

- Volkmar

Besides enabling pam_authentication in sshd_conf, you have to give 'pam_af' some rules about what to do: read the 'pam_af_tool' man page.

I use it for about half a year now an it seems to work quite reliably, according to the list
of blocked hosts.

Ingo



--
--

I. Meyer

meyer datasystems
Schluesselbergstr. 8/2.Stck
81673 Muenchen

info%meyer-datasystems.de@localhost
Tel: +49 89 22846106
Mobil: +49 162 4726634



Home | Main Index | Thread Index | Old Index