How do I stop bruteforce SSH login attempt?
Al Gordon
runlevel7 at gmail.com
Wed Apr 12 19:41:06 UTC 2006
On 4/12/06, Soo-Hyun Choi <s.choi at hackers.org.uk> wrote:
> Hi,
>
> A few days ago, I have noticed that my system is under constant
> attack(?) with a bruteforce SSH login - e.g., from a single IP
> address, it tries like 100 ~ 200 ssh login trial with all different
> user names, and go away.
>
> I know how to block it in a FreeBSD system with "denyhost" or
> "bruteforceblocker" from the ports, but I have little knowledge in my
> Ubuntu 5.10 box.
>
> Would there be anyone who could tell me something about it?
>
> Thank you.
> Soo-Hyun
Another solution, in addition to the ones you've received. I like
this one because it's easy to implement:
First, do this:
sudo apt-get install libpam-modules
Then, add the following 2 lines to /etc/pam.d/ssh:
auth required pam_tally.so onerr=fail no_magic_root
account required pam_tally.so onerr=fail deny=3 no_magic_root
even_deny_root_account reset
Then:
sudo /etc/init.d/ssh restart
Now, any account that is attacked is automatically locked after 3
failed remote login attempts.
Pros to this solution: It's quick and easy to implement
Cons to this solution: It allows someone (including yourself) to deny
you access to your own account by attempting to login 3 times with bad
credentials. If an account is locked, you have to login at the
console to unlock it.
--
-- AL --
More information about the ubuntu-users
mailing list