[wplug] Any tips against this kind of ssh break-in?

Devin Lee Drew dld at pobox.com
Fri Jul 15 15:26:55 EDT 2005 

--- Russ Schneider <russ at sugapablo.com> wrote:

> "Failed password for illegal user".

Russ, to add my two cents and answer the question in your
subject line directly: use passwords that aren't easily
guessable.

Also, I don't think that anyone has mentioned PAM policy
yet. You can do the same thing in sshd_config it appears
...

from /etc/pam.d/system-auth:
password    requisite    
/lib/security/$ISA/pam_cracklib.so retry=3

from /etc/ssh/sshd_config:
PermitRootLogin no
MaxAuthTries 6

I don't know which takes precedent. Anyone? I doesn't worry
me enough at this moment to test it. In any case, this
limits the number of guesses the monkeys can make with
their bananna scripts. It also makes a potential denial of
service for new loggons. 

Also, no one mentioned running sshd on a non-standard port.
Might be an option for you. I don't know. I do know that my
experiences with PortSentry and line by line log reading
"it looks like this guy is attacking me!"  has made me
crazy in the past. 

You use a good password for the system in question right?
If so, none of this matters. These, as Bill Moran
mentioned, are dumb scripts knocking on your door to see if
you have dumb passwords.  

Devin

from man sshd_config

LoginGraceTime
The server disconnects after this time if the user has not
successfully logged in.  If the value is 0, there is no
time limit. The default is 120 seconds.

MaxAuthTries
Specifies the maximum number of authentication attempts
permitted per connection.  Once the number of failures
reaches half this value, additional failures are logged. 
The default is 6.    

MaxStartups
Specifies the maximum number of concurrent unauthenticated
connections to the sshd daemon.  Additional connections
will be dropped until authentication succeeds or the
LoginGraceTime expires for a connection.  The default is
10. Alternatively, random early drop can be enabled by
specifying the three colon separated values
“start:rate:full” (e.g., "10:30:60").  sshd will refuse
connection attempts with a probability of “rate/100” (30%)
if there are currently “start” (10) unauthenticated
connections.  The probability increases linearly and all
connection attempts are refused if the number of
unauthenticated connections reaches “full” (60).

More information about the wplug mailing list