Photo of Jordan Sissel
Jordan Sissel
hacker

Search this site

Metadata

Articles

Projects

Presentations

Is pam_captcha worth using? (Securing your sshd)

Posted Wed, 19 Jul 2006

In /var/log/auth.log today, I see: 
Jul 19 04:37:21 dns sshd[5072]: Invalid user test from 211.154.254.73
Jul 19 04:37:22 dns sshd[5074]: Invalid user guest from 211.154.254.73
Jul 19 04:37:26 dns sshd[5080]: Invalid user user from 211.154.254.73
No authentication failures, just invalid user notifications.

FreeBSD has (for a while?) disabled simple "password" authentication in it's base sshd config. What does this mean? If client connects requesting only "password" authentication, it will be rejected. Period. Example: 

dns(~) !255! % ssh -o "PreferredAuthentications password" happytest@dhcp
Permission denied (publickey,keyboard-interactive).
If you check /var/log/auth.log, you'll see: 
Jul 19 06:10:32 dns sshd[5403]: Invalid user happytest from 192.168.0.252
However, try the same with a valid user. Nothing is logged (by default). Still, you are denied outright.

The important point, is that I guess pam_captcha is not necessary at this time. Every ssh client I have used has supported both public-key and keyboard-interactive authentication, so disabling 'password' everywhere should be a viable option. FreeBSD disables password auth by default, and no one seems to be complaining.

If you're worried about brute force attacks over ssh, then just disable 'password' authentication. In sshd_config: 

PasswordAuthentication no
This probably requires that you use public-key or keyboard-interactive (PAM) to authenticate. Keeps normal users happy, and blocks brute force bots. That is, until the bot scripts are updated to use keyboard-interactive, perhaps? Who knows...
Comments: 4 | Link to this post | posted at: 10:40
Tags: ,

4 responses to 'Is pam_captcha worth using? (Securing your sshd)'

Showing last 4 comments... (Click here to view all comments)

candice wrote at Wed Jul 19 14:13:30 2006...
pam-captcha is neat.

However, we both know that bots are an arms race, they will implement other methods if need be.

Michael Boman wrote at Mon Jul 24 00:11:03 2006...
Thank you for posting a follow up on the issue. However, I agree with candice that it is a constant arms race, and I rather be safe then sorry. At the moment I have both disabled "password" authentication and enabled pam_captcha, also known as using both belt and suspenders. I am also using fail2ban to filter out offenders. Fail2ban has really helped keeping the /var/log/secure log down to a resonable level.

Jordan Sissel wrote at Mon Jul 24 08:00:01 2006...
I agree regarding the 'better safe than sorry'

I use my own software (grok) to handle brute force attempts via log analysis aswell. Doing so keeps the signal-to-noise ratio in logs much more reasonable.

Though, grok is more general purpose so I use it for other kinds of things too.

Christopher J. Umina wrote at Wed Nov 26 05:33:28 2008...
I just use pf on FreeBSD.

pass in on $ext_if inet proto tcp from any to any port ssh flags S/SA keep state (max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global)

Assuming you've got a persistent table named <ssh-bruteforce> the rule inserts everything that connects more than 3 times in 30 seconds into that table.  From there you can just do a block in quick against anything in the table.

Leave a reply

You need javascript enabled to use this form. Anti-spam efforts ongoing. Also, if the comment doesn't show up, it's because the form expired. Go back and copy your comment, reload the form, and resubmit. Apologies if this is a hassle, I'm just playing with antispam methods right now. If this insists on not working, please email me about it.

Name (required)
E-mail (optional, if you want me to be able to email you back)
URL (also optional)
Comment: