Tugger the SLUGger!SLUG Mailing List Archives

Re: [SLUG] ssh certificate logins


Erik de Castro Lopo <mle+slug@xxxxxxxxxxxxx> writes:
> Phill O'Flynn wrote:
>
>> I am running a fedora server and currently using hosts.allow to
>> only allow ssh accesses from specific ip addresses. I did this because I was getting
>> a lot of idiots from eastern Europe and Russia tring to crack my server.
>> 
>> This has been ok  but now is prooving to be too restrictive. Can I get the
>> server to force certificate based logins only?? If so how do I do it?? Is this the
>> best approach anyway??
>
> Also have a look at pam_abl:
> http://www.hexten.net/wiki/index.php/Pam_abl

Oh, nice tool.  It is a pity that it isn't maintained upstream any
longer, or packaged for Debian / Ubuntu.  Being a PAM module is
especially nice, since it means that this would work for *any* PAM
integrated application, not just SSH.


Personally, I use fail2ban[1] which uses the cruder, but still
effective, technique of reading your logs and blocking people who try to
guess passwords via iptables.

I like it better than most of the alternatives because, unlike many
tools, it ships with configuration for a range of services in addition
to the basic ssh stuff.

So, you can detect the same brute-force attacks via IMAP, POP, FTP, or
any of the other common sources of this.[2]

Regards,
        Daniel

Footnotes: 
[1]  http://fail2ban.sf.net/

[2]  I am still amazed, in fact, that more of the brute forcing is not
     targetted at POP/IMAP accounts and passwords, since the mapping is
     frequently trivial to real accounts, and they are monitored so much
     less effectively.