Delay between failed login attempts? (OpenSSH) - SSH

This is a discussion on Delay between failed login attempts? (OpenSSH) - SSH ; Hi Im using OpenSSH on Suse 10.2 I get hackers trying to ssh into my server all the time and /var/log/ messages fills up with various messages like below Sep 18 01:58:06 linux sshd[28115]: Invalid user guest from 222.83.228.151 Sep ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Delay between failed login attempts? (OpenSSH)

  1. Delay between failed login attempts? (OpenSSH)

    Hi

    Im using OpenSSH on Suse 10.2

    I get hackers trying to ssh into my server all the time and /var/log/
    messages fills up with various messages like below

    Sep 18 01:58:06 linux sshd[28115]: Invalid user guest from
    222.83.228.151
    Sep 18 01:58:12 linux sshd[28117]: Invalid user guest from
    222.83.228.151
    Sep 18 01:58:19 linux sshd[28119]: Invalid user guest from
    222.83.228.151
    Sep 18 01:58:26 linux sshd[28121]: Invalid user guest from
    222.83.228.151

    Obviously these people are using some kind of brute force password
    guessing program to attempt to gain access to my system.

    Can I increase the delay between failed login attempts? Say after a
    certain number of failed logins the ssh server doesnt accept new
    connections for a few seconds?

    I want these types of programs to frustratingly long to use for the
    hackers trying to gain acess..

    Any ideas?


  2. Re: Delay between failed login attempts? (OpenSSH)

    On Sep 18, 6:12 am, Suk wrote:

    > Im using OpenSSH on Suse 10.2
    >
    > I get hackers trying to ssh into my server all the time and /var/log/
    > messages fills up with various messages like below
    >
    > Sep 18 01:58:06 linux sshd[28115]: Invalid user guest from
    > 222.83.228.151

    [...
    > Obviously these people are using some kind of brute force password
    > guessing program to attempt to gain access to my system.
    >
    > Can I increase the delay between failed login attempts? Say after a
    > certain number of failed logins the ssh server doesnt accept new
    > connections for a few seconds?


    Options like these help (in /etc/sshd_config):

    MaxAuthTries 4
    MaxStartups 1:3:6

    > I want these types of programs to frustratingly long to use for the
    > hackers trying to gain acess..
    >
    > Any ideas?


    Block them, you only need ssh built with tcp_wrappers support and one
    of:

    - DenyHosts
    - Fail2ban
    - probably others

    that monitor a log file (authlog, messages, syslog,...) and block the
    IP after a given number of failed tries. Of course you can white list
    your own LAN or known external hosts.
    --
    René Berber


  3. Re: Delay between failed login attempts? (OpenSSH)

    On 2007-09-18, Suk wrote:
    >
    > Can I increase the delay between failed login attempts? Say after a
    > certain number of failed logins the ssh server doesnt accept new
    > connections for a few seconds?



    If you're on linux, you could do something like:

    -A RH-Firewall-1-INPUT -m tcp -p tcp -m recent --dport 22 --rcheck --seconds 30 --hitcount 2 --name sshlist --rsource -j LOG --log-prefix "SSH ATTACK: "
    -A RH-Firewall-1-INPUT -m tcp -p tcp -m recent --dport 22 --rcheck --seconds 30 --hitcount 2 --name sshlist --rsource -j DROP
    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -m recent --dport 22 --set --name sshlist --rsource -j ACCEPT

    in your iptables. That will block any ip that tries to connect more than
    twice in 30 seconds.


    -jf

+ Reply to Thread