Re: brute force ssh attempt mitigation

From: Olav Vitters <olav vitters nl>
To: Christer Edwards <christer edwards gmail com>
Cc: gnome-infrastructure gnome org, jeffschroeder computer org
Subject: Re: brute force ssh attempt mitigation
Date: Wed, 31 Mar 2010 16:36:47 +0200

On Wed, Mar 31, 2010 at 08:33:33AM -0600, Christer Edwards wrote:
> On Wed, Mar 31, 2010 at 8:29 AM, Jeff Schroeder <jeffschroed gmail com> wrote:
> > It certainly is annoying, but ssh is configured to not allow password
> > authentication. All the bots are really doing is using up ssh
> > connections. Another thought might be to use iptables to ratelimit the
> > number of new connections to port 22 and just tarpit them. However
> > we'd have to be especially careful on git.gnome.org as that could
> > really piss off rockstar contributors. Good attention to detail
> > however.
> 
> Wasn't there some talk about actually populating /etc/{passwd,shadow}
> as an ldap backup? Wouldn't that require opening ssh to passwd auth to
> make it useful? ..maybe I misunderstood the conversation, but if it is
> the case then I think it makes this a requirement.

No, /etc/passwd + /etc/shadow entries are only for sysadmins, and only
to ensure sudo access. Login is still done using key based
authentication (it is copied from LDAP every hour). In case LDAP is
down, the old SSH key will still be available (latest create-auth
versions).

Normal users should not be in /etc/passwd.

-- 
Regards,
Olav

Follow-Ups:
- Re: brute force ssh attempt mitigation
  - From: Christer Edwards

References:
- brute force ssh attempt mitigation
  - From: Christer Edwards
- Re: brute force ssh attempt mitigation
  - From: Jeff Schroeder
- Re: brute force ssh attempt mitigation
  - From: Christer Edwards

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]