NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: help? fighting ssh user/password guessing attempts



On Thu 16 Oct 2008 at 11:09:24 +0200, Volkmar Seifert wrote:
> How pam-af is brought to work, I cannot say. I have no experiences with
> it, since I have never used it. All I can say is, it needs to be inserted
> into /etc/pam.d/sshd, probably with a line like this one:
> 
> auth            required         pam_af    no_warn

I have this in my /etc/pam.d/sshd, as the first entry in the "auth"
section:

# auth
auth            requisite       /usr/pkg/lib/security/pam_af.so debug

You should indeed also use pam_af_tool to set some rules. Most likely
you will want to set some default number of allowed tries and a lockout
time, and then have some exceptions for hosts that you trust better
(such as locations from which you log in to your machine). Something
like

pam_af_tool ruleadd -h '*' -a 2 -t 3d
pam_af_tool ruleadd -h '127.0.0.1' -a unlimited -t 0
pam_af_tool ruleadd -h '::1' -a unlimited -t 0

As an observation, it seems that PAM is hooked differently (better) into
NetBSD's sshd than in FreeBSD's sshd.  I conclude this from the fact
that on FreeBSD I see far fewer blocked hosts in the statistics.

With FreeBSD, apparently a check for a valid user name is done first by
sshd, and only if that passes, PAM will be called. This has the effect
that only attempts for actually existing users will count towards the
blocking limit.

With NetBSD, any attempt will be counted, which is good since most tries
are for non-existing user names anyway, so even if an attacker stumbles
upon a user name that you actually have on your system, it will be
locked out before that.

> - Volkmar
-Olaf.
-- 
___ Olaf 'Rhialto' Seibert    -- You author it, and I'll reader it.
\X/ rhialto/at/xs4all.nl      -- Cetero censeo "authored" delendum esse.


Home | Main Index | Thread Index | Old Index