Lock Out on Too High Fail Count

Another countermeasure against some automated attacks is to lock access when a certain number of failed attempts have been exceeded. Since such measures are only intended to lock out unskilled attackers, of course you still need to have other lines of defense in place.

Linux can be extended to lock out user accounts after a certain number of failed login attempts by using the pam_tally module. This allows you to implement such a limit for all the services that rely on PAM. Therefore, this measure only affects the systems authentication library.

Another approach is to deny access at the network level. denyhosts is an example of such an application. It parses the log files of sshd and adds appropriate entries to /etc/hosts.deny, thus preventing hosts with too high of a fail count to connect to an SSH daemon again. Such tools also exist for other services, or they might be relatively easy to implement yourself.

Unfortunately, such automated lockouts have two drawbacks: There's always a chance you might lock yourself out by accident. And with methods that block access on a network layer, if legitimate users need to connect from dynamic IP addresses, which most Internet providers offer to endusers, you might have problems. You need to carefully consider such limitations.

A more general approach to service blocking at the network level is to implement it in the packet filter. The following listing shows an example using iptables, the standard packet filter administration tool for the NetFilter framework in Linux 2.4 and 2.6 together with the recent match module. The rule set allows only four connections per minute originating from a particular host.

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state \

--state NEW -m recent --set iptables -I INPUT -p tcp --dport 22 -i eth0 -m state \ --state NEW -m recent --update --seconds 60 \ —hitcount 4 -j DROP

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook


Post a comment