Hi list, Having tired of seeing attempts to log in as root via SSH in my logs, I wrote a quick-and-dirty hack to the pam_tally module in order to implement a tarpit. Here's the code: (License is of course GPL)
http://www.princeton.edu/~kmccarty/downloads/pam_tarpit-0.0.1.tar.gz This will work if you use PAM with SSH, even if you have PermitRootLogin set to "no" (which should generally be the case anyway). See the included README for the lines to add to /etc/pam.d/ssh . For each failed login attempt after the first three, the module increases the amount of time required to wait for the next login attempt by a factor of two. Caveat: this module doesn't (yet) implement IP tracking, so there is some danger of a DoS. Since the current SSH dictionary attacks appear only to try cracking root and other non-user accounts, if you don't permit root to login by SSH anyway, the danger is not so high. You might also want to add a cron job to delete the /var/log/faillog file every so often. Comments? -- Kevin B. McCarty <[EMAIL PROTECTED]> Physics Department WWW: http://www.princeton.edu/~kmccarty/ Princeton University GPG public key ID: 4F83C751 Princeton, NJ 08544 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
