[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: help? fighting ssh user/password guessing attempts
Volkmar Seifert wrote:
Besides enabling pam_authentication in sshd_conf, you have to give
'pam_af' some rules about what to do: read the 'pam_af_tool' man page.
Out of curiosity I'd like to come back to my initial question above: Does
anybody have experience or further reading about NetBSD firewall and the
PAM system? Installing the PAM-af package was easy, but it's obviously not
working. How do I start it? I assume the relevant files are located in
/etc/pam.d/, but I'm reluctant to change the anything without deper
understanding - for fear that my attempt to fix a problem may open a
You should be aware that you need to enable the usage of PAM within the
/etc/ssh/sshd_config (UsePAM yes|no). Sadly, the man-pages of SSH in
NetBSD do not mention this.
Here is an excerpt of a SSH-manpage I have from another system:
Enables the Pluggable Authentication Module interface. If set to ``yes''
this will enable PAM authentication using ChallengeResponseAuthentication
and PAM account and session module processing for all authentication
Because PAM challenge-response authentication usually serves an equivalent
role to password authentication, you should disable either
PasswordAuthentication or ChallengeResponseAuthentication.
If UsePAM is enabled, you will not be able to run sshd(8) as a non-root
user. The default is ``no''.
PAM is automatically installed with NetBSD nowadays, so all you -should-
need to do is to enable it within the sshd_config, and may be edit the
How pam-af is brought to work, I cannot say. I have no experiences with
it, since I have never used it. All I can say is, it needs to be inserted
into /etc/pam.d/sshd, probably with a line like this one:
auth required pam_af no_warn
How it can be told whether to call pf, ipf or whatever
packetfilter-cli-tool to use, I cannot say.
Information about pam-af seems a bit thin.
I hope this was helpful in regard of your original question.
(denyhosts looks a bit easier to me, since you neither need a packetfilter
nor pam, and /etc/hosts.deny and tcpwrappers exists on your system anyway,
and transparently so.)
I use it for about half a year now an it seems to work quite
reliably, according to the list
of blocked hosts.
Tel: +49 89 22846106
Mobil: +49 162 4726634
Main Index |
Thread Index |