View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions Block root access after 3 fail
Log in to Ask a Question

Block root access after 3 fail

general

Hi guys,

I was looking at my auth.log attempt today, and oh boy, for only 3 not known web site I got alot of root attempts.

Is there an easy way to block ip addresses if they fail more than 3 times to authenticate ssh?

thank you !

Cedric

6 Replies

apt-get install denyhosts

(For Debian and Debian-based distros…)

yah im on ubuntu 9.04

Thank you!

Check sshd_config:

PermitRootLogin no (then use su or su - to gain root privaleges)

MaxAuthTries 3 (drops the connection after 3 login failures)

This is just a basic start at ssh security.

As others mentioned, I have had good luck denyhost

Jeff

Allowing remote root access is a really, really bad idea. Do yourself a favor and disable all remote root access, create a user with a really obscure name. Then just make sure they belong in the "wheel" group so you can just su over once logged in.

Then I would go even further and lock down ssh access by IP if at all possible. ;)

@marcus0263:

Allowing remote root access is a really, really bad idea. Do yourself a favor and disable all remote root access, create a user with a really obscure name. Then just make sure they belong in the "wheel" group so you can just su over once logged in.

Then I would go even further and lock down ssh access by IP if at all possible. ;)

Ways to be safer:

1) sshd on an alternate port

2) disable password-based logins and allow only passphrase-based logins

3) use of sudo to gain root access instead of su might be better since it gives you more fine-grained control and also doesn't require you to be in wheel (wheel can be dangerous or a risk at times if ever compromised)

4) use of two-factor authentication. SecurID is common but really expensive. There's cheaper stuff for small scale setups, but can't remember what I looked at now.

I'm not fond of idea of having a separate login to use to become root because it's too easy to overlook any compromise attempts (successful or unsuccessful) with these than an account you use daily. Also, accounts unused for a long time may become security risks.

@tronic:

@marcus0263:

Allowing remote root access is a really, really bad idea. Do yourself a favor and disable all remote root access, create a user with a really obscure name. Then just make sure they belong in the "wheel" group so you can just su over once logged in.

Then I would go even further and lock down ssh access by IP if at all possible. ;)

Ways to be safer:

1) sshd on an alternate port

2) disable password-based logins and allow only passphrase-based logins

3) use of sudo to gain root access instead of su might be better since it gives you more fine-grained control and also doesn't require you to be in wheel (wheel can be dangerous or a risk at times if ever compromised)

4) use of two-factor authentication. SecurID is common but really expensive. There's cheaper stuff for small scale setups, but can't remember what I looked at now.

I'm not fond of idea of having a separate login to use to become root because it's too easy to overlook any compromise attempts (successful or unsuccessful) with these than an account you use daily. Also, accounts unused for a long time may become security risks.
I don't see a problem with having "one" user with a complex/obscure login name and locking access to specific IP/IP's.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct