From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.43) id 1E08np-0000kA-VB for garchives@archives.gentoo.org; Wed, 03 Aug 2005 02:16:18 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.4/8.13.4) with SMTP id j732EV1O001867; Wed, 3 Aug 2005 02:14:31 GMT Received: from Princeton.EDU (postoffice02.Princeton.EDU [128.112.130.38]) by robin.gentoo.org (8.13.4/8.13.4) with ESMTP id j732Akoi015932 for ; Wed, 3 Aug 2005 02:10:47 GMT Received: from smtpserver2.Princeton.EDU (smtpserver2.Princeton.EDU [128.112.129.148]) by Princeton.EDU (8.12.9/8.12.9) with ESMTP id j732BBaV018563 for ; Tue, 2 Aug 2005 22:11:12 -0400 (EDT) Received: from sep.dynalias.net (fez.Princeton.EDU [128.112.129.190]) (authenticated bits=0) by smtpserver2.Princeton.EDU (8.12.9/8.12.9) with ESMTP id j732BBFZ017465 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NOT) for ; Tue, 2 Aug 2005 22:11:11 -0400 (EDT) Received: by sep.dynalias.net (Postfix, from userid 1001) id 7204A710C8; Tue, 2 Aug 2005 22:11:05 -0400 (EDT) Date: Tue, 2 Aug 2005 22:11:05 -0400 From: Willie Wong To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Testing how secure a server is... Message-ID: <20050803021105.GA6477@princeton.edu> Mail-Followup-To: gentoo-user@lists.gentoo.org References: <8f7a9d5805080216505f9b4a51@mail.gmail.com> <8f7a9d58050802181843723462@mail.gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.8i X-Archives-Salt: c51cb2f1-5638-4c64-b052-6345132cc6d5 X-Archives-Hash: c4905e7f1e4e50ca7a6405bb27977be3 On Tue, Aug 02, 2005 at 09:43:17PM -0400, Colin wrote: > Neither is what I was thinking of, but they're quite similar. > LoginGraceTime means if nobody logged in within 10 minutes of the > connection being opened, then it will be closed. I don't know > exactly what MaxAuthTries does, but I imagine after the sixth invalid > login, the connection would be closed. > Yes, and if the failure reaches half the number, all further failures will be logged. In the case of MaxAuthTries 6 It means that the first three failures will go unnoticed, the fourth through sixth logged, and the connection closes after that. There is, unfortunately, not an option in sshd_config to allow for the behaviour you specified, where after a password failure, the next prompt comes up delayed by five seconds. Perhaps if should be put as a feature request (=. Your best bet against brute forcing sshd is 1) Not allowing password login at all or 2) Use some sort of IDS coupled with a firewall rule to block the particular host after multiple login failures. But even that won't stop a distributed brute force. But then again, if you are guarding a system that really demands that much security against a determined cracker, you really should consider NOT putting the system on the internet. or 3) Maybe port-knocking? Note that just by running ssh on a non-standard port, you probably are avoiding most of the 5|<|21p7 kiddie attacks... again, only someone who really wants in on your system will take the effort to locate where sshd is listening. > I found this site, check it out. It's for Red Hat (Gentoo is > better!), but it's the same SSHd: > http://www.faqs.org/docs/securing/chap15sec122.html -- It's easy to come up with new ideas; the hard part is letting go of what worked for you two years ago, but will soon be out of date. -- Roger Von Oech Sortir en Pantoufles: up 2 days, 9:25 -- gentoo-user@gentoo.org mailing list