[TriLUG] Failed logins

Rick DeNatale rick.denatale at gmail.com
Fri Sep 2 16:09:21 EDT 2005


On 9/2/05, Alan Porter <porter at trilug.org> wrote:
> 
> Two things:
> 
> (1)
> 
> Check out DenyHosts - it's a small python script that scrapes your
> authentication logs and populates /etc/hosts.deny based on failed
> login attempts.  http://denyhosts.sourceforge.net/
> 
> (2)
> 
> If shutting off root ssh access seems too drastic, you can restrict
> root ssh logins from specific IP's.  Like this:
> 
>    # /etc/ssh/sshd_config
>    # The following notation is misleading: root at machine means
>    # any user from 'machine' can try to log in here as root.
>    PermitRootLogin yes
>    AllowUsers user1 user2 root at 10.1.1.* root at work.ip.address root at trilug.ip.address

Another thing you might consider is to totally turn off ssh password
authentication and use public key authentication instead.  Google for
"ssh keys howto" will turn up lots of help in how to do this.  The
down side is that you need public/private key pairs for each host and
client. The upside is that for valid clients, once you've set them up
with a little help with ssh key management (google ssh keychain), the
client user only needs to enter his keys passphrase once for a session
in order to get quick ssh access to any hosts he has registered keys
with.  The O'Reilly "Linux Server Hacks" book has a lot of good stuff
on how to setup ssh to make it both secure and convenient for
legitimate users.



More information about the TriLUG mailing list