[PLUG] PermitRootLogin no
Roderick A. Anderson
raanders at cyber-office.net
Tue Apr 20 21:59:32 UTC 2010
chris (fool) mccraw wrote:
> On Tue, Apr 20, 2010 at 14:01, glen e. p. ropella <gepr at tempusdictum.com> wrote:
>> I'm running sshd on a server and I've set:
>>
>> PermitRootLogin no
>>
>> But I _assumed_ it would stop attempts like the following:
>>
>> -----------------------
>> Apr 19 07:11:49 huntlab sshd[15840]: pam_unix(sshd:auth): authentication
>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=204.228.225.88
>> user=root
>>
>> Apr 19 07:11:50 huntlab sshd[15840]: Failed password for root from
>> 204.228.225.88 port 50082 ssh2
>> -----------------------
>
> It won't let them login even if they guess the right password.
>
> But aside from explicitly firewalling every IP you won't ever want to
> connect from completely, you're pretty well stuck in reactionary mode:
> wait for the (guaranteed to fail) attempt and then block it.
>
> i use the program 'denyhosts' to kick people off the lawn after 3
> failed login attempts. but it only defends against IP's that knock 3
> times. still a lot better to read logs with 3 attempts in, than 3000.
> and it's pretty versatile so can work for other services (ftp for
> instance) that someone might also try to break into with brute force
> repeated attempts.
I used to use denyhosts but found these iptables rules a touch more
proactive.
-N SSH_WHITELIST
-A SSH_WHITELIST -s $any_ip_or_range -m recent --remove --name SSH -j ACCEPT
# $any_ip_or_range is an IP or range you don't want tested.
# I ran into a Windows client that hammered and I sometimes
# log into several Linux-Vserver guests in a very short period.
-A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent
--set --name SSH
-A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -j
SSH_WHITELIST
# four failed attempts in 60 seconds and the connection just gets
# dropped
-A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent
--update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# other rules go here with this near the end.
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
>> And I've heard babble about PAM settings and such. So, I'm thinking
>> that I just don't have it locked up completely. I expected the sshd
>> server to immediately refuse the connection without having to go through
>> the challenge response or password auth.
It has to at least know who is logging in so there will be at least one
attempt
> i don't know of anything like that, but if you find something that
> isn't talked about on list, please let us know!
I ran into this with a Fedora 12 install. With my netbook I
needed/wanted to log in graphically as root so I modified
/etc/pamd.d/{gdm,gdm-password} and and commented out the lines:
auth required pam_succeed_if.so user != root quiet
in both. Old habits die slowly (if at all) so I still log in as root;
sometimes at a workstation and quite often to the servers I admin.
The only thing about ssh that comes to mind are the lines:
auth optional pam_gnome_keyring.so
session optional pam_gnome_keyring.so auto_start
which, I think, let me login with my ssh pass phrase (like doing
add-agent) or account password.
Rod
--
More information about the PLUG
mailing list