Scientific Linux Forum.org



  Reply to this topicStart new topicStart Poll

> Set time delay between login attempts?, to make brute force attacks harder?
avamk
 Posted: Aug 31 2011, 04:23 AM
Quote Post


SLF Member
***

Group: Members
Posts: 50
Member No.: 127
Joined: 6-May 11









Hello,
So I've read that, in addition to using a long and secure password, it is also helpful to set a time delay (say, 5 seconds) between password login attemps (SSH or anything else that requires password login). Also, one might set it up so that after a certain number of failed attempts, login will be disabled for another set amount of time (e.g. 24 hours).
How can this be setup on a SL system? If the method varies greatly, a SSH login example would be great.
Finally, is this really an effective secuirty measure?
Thanks.
PM
^
redman
 Posted: Aug 31 2011, 10:42 AM
Quote Post


SLF Admin
********

Group: Admins
Posts: 1569
Member No.: 2
Joined: 8-April 11









QUOTE (avamk @ Aug 31 2011, 06:23 AM)
Finally, is this really an effective secuirty measure?

Can't tell you how to set this up. But, looking at from a statistical point of view, it will never be 100% adequate. IF they want to break your system, they will succeed. But than they would need your system at their place.

For external safety I believe it will always be helpful. But don't depend on it, expect it to be enough. In order to keep the crackers out, you need to think like one. Compare it to a car thief wanting to steal a car. If he has the choice for a "normal" one or one that has one of those buggy bars attached to the steeringwheel, he will almost certainly go for the "normal" car.

You might want to have a look at this topic on practical tips how to secure SSH.


--------------------
What is SL? - Forum Rules - Info on 3rd Party Repos

Desktop: ASUS P5QPL-AM, Intel Dual-Core E6500, 4GB DDR2, ASUS GeForce GT 430 1GB, SL6.5 x86_64
Laptop: ASUS X58L, Intel Dual-Core T3200, 3GB DDR2, Intel GMA X3100, RHEL6.6 x86_64
Test box: Intel S5000PSL, 2x Intel Xeon E5310, 8GB ECC DDR2 FB-DIMM, ASUS GeForce GT 220 1GB, SL6.5 x86_64
PM
^
helikaon
 Posted: Aug 31 2011, 12:48 PM
Quote Post


SLF Moderator
******

Group: Moderators
Posts: 607
Member No.: 4
Joined: 8-April 11









Hi,
linux security is really wide theme and you can set it up service-wise (if possible - like with sshd) or OS-wise in the:
1. "/etc/pam.d/"
2. iptables
3. tcpwrappers
4. any special tool (fail2ban)
5. anything that i forgot now smile.gif

In your case, if it is ssh securing, check:
1. /etc/ssh/sshd_config
this part:
# Authentication:
LoginGraceTime 1m
PermitRootLogin no
#StrictModes yes
MaxAuthTries 3
AllowUsers xxx yyy

2. /etc/pam.d/system-auth
/etc/pam.d/sshd
(manpage it)

3. iptables (this is not from my head, just googled it, but seams it could work, or work around this bases)
iptables -A INPUT -m tcp -p tcp -m recent --dport 22 --rcheck --seconds 30 --hitcount 2 --name sshlist --rsource -j LOG --log-prefix "SSH ATTACK: "
iptables -A INPUT -m tcp -p tcp -m recent --dport 22 --rcheck --seconds 30 --hitcount 2 --name sshlist --rsource -j DROP
iptables -A INPUT -m state --state NEW -m tcp -p tcp -m recent --dport 22 --set --name sshlist --rsource -j ACCEPT
That will block any ip that tries to connect more than twice in 30 seconds.

other good googled example:
iptables -A INPUT -m tcp -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m tcp -p tcp -s 10.1.0.0/24 --dport 22 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 22 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --dport 22 -j DROP

The second line allows the hosts on the network block 10.1.0.0/24 to connect an unlimited number of times. Do this for hosts that you would normally connect from. Then, in an emergency, you can get in from another machine, as long as someone else isn't hitting the machine more than 3 times per second.
The 3rd line allows a burst of up to 3 SSH connection attempts from a given remote IP address, and once that's exceeded it will limit that IP to 3 attempts per minute. The burst recharges every time that the limit is not hit. This set of rules only gets invoked on the initial SSH connection establishment attempt, so it doesn't impact SSH connections after they are made.

4. /etc/hosts.allow and hosts.deny

if any particular q, ask further, it's really quite wide area to cover in forum post smile.gif


--------------------
PMEmail Poster
^
0 User(s) are reading this topic (0 Guests and 0 Anonymous Users)
0 Members:

Topic Options Reply to this topicStart new topicStart Poll