[colug-432] SSH

Rob Funk rfunk at funknet.net
Thu Mar 10 10:04:52 EST 2011


On Wednesday, March 09, 2011 10:32:26 pm Richard Hornsby wrote:
> I thought there was a way to increasingly slow down multiple failed
> attempts from the same connection, but I'm not seeing it in the
> sshd_config manpage.  Maybe xinetd could possibly do this?  Even small
> delays can help make it not worth it.

Two useful things here...

fail2ban, which Russ mentioned, will watch your logs and temporarily block 
addresses with too many failed login attempts. Just be sure to whitelist 
known-good addresses.
http://www.fail2ban.org/

The iptables "recent" module is very useful to slow down access. I have it set 
up to limit any host's new connections to my ssh server to twice in a minute.
http://snowman.net/projects/ipt_recent/

In my experience, limiting the frequency of new connections tends to mean that 
fail2ban rarely needs to block anybody, since attackers tend to give up and 
move on before fail2ban's limits get triggered.


More information about the colug-432 mailing list