Sign in to follow this  
Krusher

Change wrong password delay in Linux

Recommended Posts

According to the IP address from the ARIN WHOIS lookup, someone in Korea either has nothing better to do or has a comprised machine (a friend of mine suggested). Until I stopped forwarding the port on my router, I was getting a password attempt every 5 seconds:

Sep 18 13:45:20 webserver sshd(pam_unix)[856]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.206.125.39 user=root

Sep 18 13:45:25 webserver sshd(pam_unix)[859]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.206.125.39 user=root

Sep 18 13:45:30 webserver sshd(pam_unix)[861]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=211.206.125.39 user=root

Looking through my Linux documentation CD (RH9), it looks like there are several ways to limit this type of activity by connection IP address (/etc/xinetd.d) but there is no such service sshd in that directory. sshd is the secure telnet, which you knew already if you got this far. :)

Are there simpler ways to just increase the delay between wrong passwords to say a minute? Maybe I could just block this one host from /etc/hosts.deny but I don't know the format.

Thanks.

Share this post


Link to post
Share on other sites
Are there simpler ways to just increase the delay between wrong passwords to say a minute?  Maybe I could just block this one host from /etc/hosts.deny but I don't know the format.

Thanks.

~ # grep -i root /etc/ssh/sshd_config
PermitRootLogin no

You should never allow direct root login over SSH, always login using a normal user A/C and su to root.

greg

Share this post


Link to post
Share on other sites
use iptables to nuke his ass

syntax is like this

iptables -I INPUT -s "HIS-IP-ADDRESS" -p tcp --dport 22 -j DROP

I enabled the ports an hour ago, and by now they must have got the message and moved on to someone else, so I was not able to try iptables. (But I am interested in how routing works, since I took the lazy route and just do it through the router for now.) :)

Share this post


Link to post
Share on other sites

Cant a script run, if someone tries to logon from a certian IP, and gets a password wrong more than say 3 or 4 times, the IP gets entered into iptables ?

Share this post


Link to post
Share on other sites
~ # grep -i root /etc/ssh/sshd_config

PermitRootLogin no

greg

I tried editing this file above and after rebooting, it gives interesting results. B)

If you try to login as root with the wrong password, you get the chance to try again as much as you want. (Like before).

If you provide the right password, then I get this large error message with status codes, connection aborted, the works.

It looks like that configuration file also has options to use RSA keys in a public key file. But, you have to manually configure the key file for each user.

Is there a feature that simply locks that IP address out when there are multiple denials? (Regardless of user.)

If I disable the root login, then during a power outage I would not be able to login as root remotely. I'm using the apcupsd tool and it locks out everyone when that happens, except for root. Although, I could just let the server shut itself down I suppose.

Thanks.

Share this post


Link to post
Share on other sites
Cant a script run, if someone tries to logon from a certian IP, and gets a password wrong more than say 3 or 4 times, the IP gets entered into iptables ?

That would be ideal, although you could accidentally lock yourself out. :lol:

If set high enough, like 100 attempts, that would stop the kiddie password scripts...

Share this post


Link to post
Share on other sites
Cant a script run, if someone tries to logon from a certian IP, and gets a password wrong more than say 3 or 4 times, the IP gets entered into iptables ?

That would be ideal, although you could accidentally lock yourself out. :lol:

If set high enough, like 100 attempts, that would stop the kiddie password scripts...

Ya, thats why I suggested 3 or 4 wrong attempts... anyone could make a typo once or twice...

Share this post


Link to post
Share on other sites
Ya, thats why I suggested 3 or 4 wrong attempts... anyone could make a typo once or twice...

Or, if you're me at work, 10 times+. :rolleyes:

Does everyone else have like 20 passwords you have to remember? I heard the average is up there.

Share this post


Link to post
Share on other sites
Ya, thats why I suggested 3 or 4 wrong attempts... anyone could make a typo once or twice...

Or, if you're me at work, 10 times+. :rolleyes:

Does everyone else have like 20 passwords you have to remember? I heard the average is up there.

ya, Iam getting close to that... I have fragmented network at work... I have a folder full of passwords and user names, for the servers and workstations.

Share this post


Link to post
Share on other sites

Actually there IS a way to limit the maximum authetication tries in a single session - however the delay isn't implemented because the "interactiveness" isn't quite teh same as your regular terminal session ....

If you are interested have a look at the man page for sshd_config ;

The particular entry in sshd_config is MaxAuthTries.

There are other things you can do to fix it....

If you've compiled sshd with tcp wrappers then you can achieve further control

Have a read. man 5 sshd_config at the command prompt will help

Share this post


Link to post
Share on other sites
The particular entry in sshd_config is MaxAuthTries.

There are other things you can do to fix it....

If you've compiled sshd with tcp wrappers then you can achieve further control

I don't seem to have MaxAuthTries in man 5 sshd_config, but there is another one called "DenyUsers"; I will try that with root and see what the difference is.

I have not done any custom compiles; maybe that's how you have MaxAuthTries?

Share this post


Link to post
Share on other sites

Yes, I know I'm talking to myself by responding to my own thread. But, "DenyUsers root" had an interesting effect. It says that the password is wrong no matter what, even if the password is good. So, I will use this unless I'm missing the MaxAuthTries feature in the man page, or it's undocumented and actually works.

Share this post


Link to post
Share on other sites

MaxAuthTries is available only on latest OpenSSH snapshot. If you're using OpenBSD, it's on -Current tree.

Instead of using DenyUsers to disallow root login, there's a specific PermitRootLogin directive that you can use. By default, root is allowed to login. Just change the aforementioned argument to no and it should be good.

Share this post


Link to post
Share on other sites
Yes, I know I'm talking to myself by responding to my own thread.  But, "DenyUsers root" had an interesting effect.  It says that the password is wrong no matter what, even if the password is good.  So, I will use this unless I'm missing the MaxAuthTries feature in the man page, or it's undocumented and actually works.

And how did you solve the apcupsd tool issue?

Share this post


Link to post
Share on other sites

~ # grep -i root /etc/ssh/sshd_config

PermitRootLogin no

greg

If you provide the right password, then I get this large error message with status codes, connection aborted, the works.

Is there a feature that simply locks that IP address out when there are multiple denials? (Regardless of user.)

If I disable the root login, then during a power outage I would not be able to login as root remotely. I'm using the apcupsd tool and it locks out everyone when that happens, except for root. Although, I could just let the server shut itself down I suppose.

Thanks.

No need to reboot after changing sshd_config, just send a HUP to the sshd process.

PermitRootLogin No: in SSH does not prevent you from logging in remotely using a normal user A/C and using su.

greg

Share this post


Link to post
Share on other sites
If you really want to be an ass you can redirect the packets to his own IP. It's a bit on the evil side, but meh.

Now that sounds like fun if they come back. :)

Share this post


Link to post
Share on other sites
And how did you solve the apcupsd tool issue?

Well, I didn't technically. :) If the power goes out and I try to login as root shrough SSH I can't get in. And, you can't login as another user and su to root because only root is allowed login under an outage.

I have VNC running on an internal network (behind a firewall), so I could still login to the VNC screen that I have open as root and do an early shutdown if desired that way. I'm not concerned about getting hacked on the internal network.

If it were a remote server I would probably just not use the auto-lockout feature during an outage. I believe that I used the auto-lockout feature because it nags everyone when that feature is on; otherwise it just shuts down without warning. I haven't updated apcupsd in awhile so that may have been changed.

Share this post


Link to post
Share on other sites
No need to reboot after changing sshd_config, just send a HUP to the sshd process.

PermitRootLogin No:  in SSH does not prevent you from logging in remotely using a normal user A/C and using su.

Ok, in this case I would login with my VNC session and kill any sshd processes. That sounds easier than a reboot.

"PermitRootLogin no" as suggested by cmkrnl and synthexp seem to do about the same thing as "DenyUsers root". But the difference is that if you actually get the root password, "PermitRootLogin no" gives you an error message so you know that you have the root password. "DenyUsers root" gives you the same message as if you had the wrong password, even if it is right.

Either way, root's not getting in anymore over SSH which makes it more fun--now I can let these passwords scripts run and try other things. :P

Or, maybe I'll get the latest OpenSSH as suggested. I'll print this off in a few days and save it for future use. Thanks everyone!

Share this post


Link to post
Share on other sites
And how did you solve the apcupsd tool issue?

Well, I didn't technically. :) If the power goes out and I try to login as root shrough SSH I can't get in. And, you can't login as another user and su to root because only root is allowed login under an outage.

That sounds bizarre, if the machine is running multiuser, there is absolutely nothing stopping you logging in as a standard user, power outage or not.

greg

Share this post


Link to post
Share on other sites
That sounds bizarre, if the machine is running multiuser, there is absolutely nothing stopping you logging in as a standard user, power outage or not.

I have this setting in my apcupsd.conf file, which is what stops the standard users from logging in. If you don't use this, then the 'nag' feature doesn't work:

# The condition which determines when users are prevented from

# logging in during a power failure.

# NOLOGON <string> [ disable | timeout | percent | minutes | always ]

NOLOGON always

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this