Re: brute force ssh attempt mitigation

On Wed, Mar 31, 2010 at 08:33:33AM -0600, Christer Edwards wrote:
> On Wed, Mar 31, 2010 at 8:29 AM, Jeff Schroeder <jeffschroed gmail com> wrote:
> > It certainly is annoying, but ssh is configured to not allow password
> > authentication. All the bots are really doing is using up ssh
> > connections. Another thought might be to use iptables to ratelimit the
> > number of new connections to port 22 and just tarpit them. However
> > we'd have to be especially careful on as that could
> > really piss off rockstar contributors. Good attention to detail
> > however.
> Wasn't there some talk about actually populating /etc/{passwd,shadow}
> as an ldap backup? Wouldn't that require opening ssh to passwd auth to
> make it useful? ..maybe I misunderstood the conversation, but if it is
> the case then I think it makes this a requirement.

No, /etc/passwd + /etc/shadow entries are only for sysadmins, and only
to ensure sudo access. Login is still done using key based
authentication (it is copied from LDAP every hour). In case LDAP is
down, the old SSH key will still be available (latest create-auth

Normal users should not be in /etc/passwd.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]