Recent Features
| |||||||||||||
Crying wolf over OpenSSHCrying wolf over OpenSSHPosted Jul 18, 2009 22:33 UTC (Sat) by Baylink (subscriber, #755)Parent article: Crying wolf over OpenSSH
If for some reason (and let us not get into just now what those reasons might be, and whether they're good enough for *you*) you need to run sshd in a password-accepting environment, let me recommend the SSH Brute Force attack defense page:
http://la-samhna.de/library/brutessh.html
I personally use the hosts.allow approach, but there's some good skullsweat on this page, whichever one suits you.
(Log in to post comments)
Crying wolf over OpenSSH Posted Jul 20, 2009 14:40 UTC (Mon) by wookey (subscriber, #5501) [Link]
The thing I find missing for ssh is an easy way to say that only a subset of users on the machine can do remote ssh logins. I have machines with lots of users, but only a few of those need to do remote ssh. And of course those machines are hammered by brute-force attacks all the time, so restricting possible valid logins to the people who know what they are doing and can be relied-upon to have strong passwords would be a huge help.
The normal install is an everyone or nobody affair.
Crying wolf over OpenSSH Posted Jul 20, 2009 14:45 UTC (Mon) by Baylink (subscriber, #755) [Link]
Well, yeah, but it's pretty trivial to limit it:
http://www.cyberciti.biz/tips/openssh-deny-or-restrict-ac...
Crying wolf over OpenSSH Posted Jul 20, 2009 21:50 UTC (Mon) by nix (subscriber, #2304) [Link]
Note that in recent versions of OpenSSH you can put these under Match as
well, so different users/groups can be allowed in depending on where they are connecting from.
Crying wolf over OpenSSH Posted Jul 21, 2009 3:09 UTC (Tue) by deunan_knute (subscriber, #290) [Link]
This is a very handy feature that, frustratingly, hasn't made its way into RHEL or CentOS yet.
|
|||||||||||||