[Freedombox-discuss] Block brute force login attacks?

Petter Reinholdtsen pere at hungry.com
Sat Jun 14 07:47:04 UTC 2014 

Time to pick up this thread again, and set up some defence against the
simple and stupid brute force attacks.  Since the last discussion, I've
submitted bug #742024 to ask libpam-abl to be enabled by default after
installation, making it a more viable option for us, and bringing it on
pair with libpam-shield in this regard.

These are the known options:

 - iptables / ufw rules.

   It can trigger on many connections, but is not really an option, as
   it is unable to detect failed logins.

 - libpam-shield - locks out remote attackers trying password guessing.

   Working option, just install and get the shield in place.  But it
   block for one week by default, which is way too long.  The package is
   orphaned, so if we are to use it someone need to adopt it.  It can be
   used if we adjust the default configuration.

 - libpam-abl - blocks hosts which are attempting a brute force attack

   Working option, just install and get the shield in place.  But it
   block for 24 hours by default, which is a bit too long.  I've asked
   for it to be reduced to 1-2 hours in bug #751551, but do not know
   what the maintainer will say. It can be used directly but we should
   perhaps adjust the default configuration to reduce the block period.

 - fail2ban - ban hosts that cause multiple authentication errors
 - (*) denyhosts - Utility to help sys admins thwart SSH crackers

   Working options, but only handle ssh by default.

 - configure ssh to block password authentication and require ssh keys
   to log in, at least over the internet.

 - configure ssh to not use port 22, or require port knocking to log in.

These options are not exclusive, and we can pick combinations that make
sense.  I believe it is best to handle this issue on the PAM level, and
there we have two options.  Because libpam-shield is orphaned and have
so huge block period, I conclude that libpam-abl is our best option.  We
should also look at disabling password login from the Internet over ssh,
and only allow it on the local network.

I'll add it to the dependency list for freedombox-setup, to get it
installed by default, unless someone object with a good argument why
this is a bad idea. :)

-- 
Happy hacking
Petter Reinholdtsen

More information about the Freedombox-discuss mailing list