Hi guys,

I was looking at my auth.log attempt today, and oh boy, for only 3 not known web site I got alot of root attempts.

Is there an easy way to block ip addresses if they fail more than 3 times to authenticate ssh?

thank you !
Cedric

apt-get install denyhosts

(For Debian and Debian-based distros...)

yah im on ubuntu 9.04

Thank you!

Check sshd_config:

PermitRootLogin no (then use su or su - to gain root privaleges)

MaxAuthTries 3 (drops the connection after 3 login failures)

This is just a basic start at ssh security.

As others mentioned, I have had good luck denyhost

Jeff

Allowing remote root access is a really, really bad idea. Do yourself a favor and disable all remote root access, create a user with a really obscure name. Then just make sure they belong in the "wheel" group so you can just su over once logged in.

Then I would go even further and lock down ssh access by IP if at all possible.

_________________

Where "Thought Crime" is commited
http://www.rejecttheherd.net

Ways to be safer:

1) sshd on an alternate port
2) disable password-based logins and allow only passphrase-based logins
3) use of sudo to gain root access instead of su might be better since it gives you more fine-grained control and also doesn't require you to be in wheel (wheel can be dangerous or a risk at times if ever compromised)
4) use of two-factor authentication. SecurID is common but really expensive. There's cheaper stuff for small scale setups, but can't remember what I looked at now.

I'm not fond of idea of having a separate login to use to become root because it's too easy to overlook any compromise attempts (successful or unsuccessful) with these than an account you use daily. Also, accounts unused for a long time may become security risks.

I don't see a problem with having "one" user with a complex/obscure login name and locking access to specific IP/IP's.

_________________


Where "Thought Crime" is commited

http://www.rejecttheherd.net