[sclug] SSHD automatic firewalling
Alex Butcher
lug at assursys.co.uk
Sat Feb 12 11:01:49 UTC 2005
On Sat, 12 Feb 2005, Hamlesh Motah wrote:
> Does anyone know if it is possible to have sshd add a drop rule to
> iptables if a user tries to ssh but fails to authenticate twice?
There's nothing built in to sshd to allow you to do that.
But you /could/ set MaxAuthTries in sshd_config to 4, which will cause two
login failures to generate a log entry. You can then arrange for a daemon to
read /var/log/messages and insert a netfilter rule accordingly. Bear in mind
that this could result in a DoS if an attacker knows the IP addresses which
legitimate users connect from.
> The alternative I guess would be to permit SSH to only a specific number
> of ips.
That would actually be the preferred alternative, possibly combined with
port knocking (e.g. <http://www.zeroflux.org/knock/>) if the set of
legitimate users is small (or one) and the set of legitimate potential
client hosts is large (or the entire Internet).
> Hamlesh Motah.
Best Regards,
Alex.
--
Alex Butcher Brainbench MVP for Internet Security: www.brainbench.com
Bristol, UK Need reliable and secure network systems?
PGP/GnuPG ID:0x271fd950 <http://www.assursys.com/>
More information about the Sclug
mailing list