[Freedombox-discuss] Block brute force login attacks?
Philip Hands
phil at hands.com
Thu Mar 20 11:00:48 UTC 2014
Nick Daly <nick.m.daly at gmail.com> writes:
> I'd like to throw one more alternative into the mix:
>
> On Wed, Mar 19, 2014 at 1:38 AM, Petter Reinholdtsen <pere at hungry.com> wrote:
>> - iptables / ufw rules
>> - libpam-shield - locks out remote attackers trying password guessing
>> - libpam-abl - blocks hosts which are attempting a brute force attack
>> - fail2ban - ban hosts that cause multiple authentication errors
>> - (*) denyhosts - Utility to help sys admins thwart SSH crackers
>
> - Figure out how to make key authentication easy for end user's
> devices and disable password authentication on boxen altogether.
Quite, although boostrapping may be an issue then.
Another thing that might help, but is also perhaps too complicated for
normal people, would be port-knocking, so that we're not even listening
to ssh until activated by nudging the right port(s).
Likewise, listening on something other than port 22 would help but may
be too complicated for normal users, and both are really just security
through obscurity.
This discussion also prompted me to wonder if it would be good to run a
tarpit on a spare IP address and/or on unused ports, as well as (if
possible) tarpitting connections that try logging in as root with a
password, say. The package xtables-addons-dkms apparently includes the
tarpit module (I'd not realise it was packaged until I looked just now).
Cheers, Phil.
--
|)| Philip Hands [+44 (0)20 8530 9560] http://www.hands.com/
|-| HANDS.COM Ltd. http://ftp.uk.debian.org/
|(| 10 Onslow Gardens, South Woodford, London E18 1NE ENGLAND
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20140320/4df60cf9/attachment.sig>
More information about the Freedombox-discuss
mailing list