[PLUG] PermitRootLogin no

Tue Apr 20 21:59:32 UTC 2010

chris (fool) mccraw wrote:
> On Tue, Apr 20, 2010 at 14:01, glen e. p. ropella <gepr at tempusdictum.com> wrote:
>> I'm running sshd on a server and I've set:
>>
>>   PermitRootLogin no
>>
>> But I _assumed_ it would stop attempts like the following:
>>
>> -----------------------
>> Apr 19 07:11:49 huntlab sshd[15840]: pam_unix(sshd:auth): authentication
>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=204.228.225.88
>> user=root
>>
>> Apr 19 07:11:50 huntlab sshd[15840]: Failed password for root from
>> 204.228.225.88 port 50082 ssh2
>> -----------------------
> 
> It won't let them login even if they guess the right password.
> 
> But aside from explicitly firewalling every IP you won't ever want to
> connect from completely, you're pretty well stuck in reactionary mode:
>  wait for the (guaranteed to fail) attempt and then block it.
> 
> i use the program 'denyhosts' to kick people off the lawn after 3
> failed login attempts.  but it only defends against IP's that knock 3
> times.  still a lot better to read logs with 3 attempts in, than 3000.
>  and it's pretty versatile so can work for other services (ftp for
> instance) that someone might also try to break into with brute force
> repeated attempts.

I used to use denyhosts but found these iptables rules a touch more 
proactive.

-N SSH_WHITELIST
-A SSH_WHITELIST -s $any_ip_or_range -m recent --remove --name SSH -j ACCEPT

# $any_ip_or_range is an IP or range you don't want tested.
# I ran into a Windows client that hammered and I sometimes
# log into several Linux-Vserver guests in a very short period.

-A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent 
--set --name SSH
-A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -j 
SSH_WHITELIST

# four failed attempts in 60 seconds and the connection just gets
# dropped

-A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent 
--update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

# other rules go here with this near the end.
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j 
ACCEPT

>> And I've heard babble about PAM settings and such.  So, I'm thinking
>> that I just don't have it locked up completely.  I expected the sshd
>> server to immediately refuse the connection without having to go through
>> the challenge response or password auth.

It has to at least know who is logging in so there will be at least one 
attempt

> i don't know of anything like that, but if you find something that
> isn't talked about on list, please let us know!

I ran into this with a Fedora 12 install.  With my netbook I 
needed/wanted to log in graphically as root so I modified 
/etc/pamd.d/{gdm,gdm-password} and and commented out the lines:

auth	required	pam_succeed_if.so user != root quiet

in both.  Old habits die slowly (if at all) so I still log in as root; 
sometimes at a workstation and quite often to the servers I admin.

The only thing about ssh that comes to mind are the lines:

auth	optional	pam_gnome_keyring.so
session	optional	pam_gnome_keyring.so auto_start

which, I think, let me login with my ssh pass phrase (like doing 
add-agent) or account password.

Rod
-- 