SLUG Mailing List Archives
Re: [SLUG] ssh certificate logins
- To: slug@xxxxxxxxxxx
- Subject: Re: [SLUG] ssh certificate logins
- From: Daniel Pittman <daniel@xxxxxxxxxxxx>
- Date: Fri, 10 Oct 2008 10:58:21 +1100
- Organization: I know I put it down here, somewhere.
- User-agent: Gnus/5.110006 (No Gnus v0.6) Emacs/23.0.60 (gnu/linux)
Erik de Castro Lopo <mle+slug@xxxxxxxxxxxxx> writes:
> Phill O'Flynn wrote:
>> I am running a fedora server and currently using hosts.allow to
>> only allow ssh accesses from specific ip addresses. I did this because I was getting
>> a lot of idiots from eastern Europe and Russia tring to crack my server.
>> This has been ok but now is prooving to be too restrictive. Can I get the
>> server to force certificate based logins only?? If so how do I do it?? Is this the
>> best approach anyway??
> Also have a look at pam_abl:
Oh, nice tool. It is a pity that it isn't maintained upstream any
longer, or packaged for Debian / Ubuntu. Being a PAM module is
especially nice, since it means that this would work for *any* PAM
integrated application, not just SSH.
Personally, I use fail2ban which uses the cruder, but still
effective, technique of reading your logs and blocking people who try to
guess passwords via iptables.
I like it better than most of the alternatives because, unlike many
tools, it ships with configuration for a range of services in addition
to the basic ssh stuff.
So, you can detect the same brute-force attacks via IMAP, POP, FTP, or
any of the other common sources of this.
 I am still amazed, in fact, that more of the brute forcing is not
targetted at POP/IMAP accounts and passwords, since the mapping is
frequently trivial to real accounts, and they are monitored so much