photo
Jordan Sissel
geek

Wed, 19 Jul 2006

Is pam_captcha worth using? (Securing your sshd)

In /var/log/auth.log today, I see: 
Jul 19 04:37:21 dns sshd[5072]: Invalid user test from 211.154.254.73
Jul 19 04:37:22 dns sshd[5074]: Invalid user guest from 211.154.254.73
Jul 19 04:37:26 dns sshd[5080]: Invalid user user from 211.154.254.73
No authentication failures, just invalid user notifications.

FreeBSD has (for a while?) disabled simple "password" authentication in it's base sshd config. What does this mean? If client connects requesting only "password" authentication, it will be rejected. Period. Example: 

dns(~) !255! % ssh -o "PreferredAuthentications password" happytest@dhcp
Permission denied (publickey,keyboard-interactive).
If you check /var/log/auth.log, you'll see: 
Jul 19 06:10:32 dns sshd[5403]: Invalid user happytest from 192.168.0.252
However, try the same with a valid user. Nothing is logged (by default). Still, you are denied outright.

The important point, is that I guess pam_captcha is not necessary at this time. Every ssh client I have used has supported both public-key and keyboard-interactive authentication, so disabling 'password' everywhere should be a viable option. FreeBSD disables password auth by default, and no one seems to be complaining.

If you're worried about brute force attacks over ssh, then just disable 'password' authentication. In sshd_config: 

PasswordAuthentication no
This probably requires that you use public-key or keyboard-interactive (PAM) to authenticate. Keeps normal users happy, and blocks brute force bots. That is, until the bot scripts are updated to use keyboard-interactive, perhaps? Who knows...

Comments: 3 (view comments)
Tags: ,
Permalink: /geekery/pam_captcha_research
posted at: 13:40

3 responses to 'Is pam_captcha worth using? (Securing your sshd)'

candice posted at Wed Jul 19 17:13:30 2006...
pam-captcha is neat.

However, we both know that bots are an arms race, they will implement other methods if need be.

Michael Boman posted at Mon Jul 24 03:11:03 2006...
Thank you for posting a follow up on the issue. However, I agree with candice that it is a constant arms race, and I rather be safe then sorry. At the moment I have both disabled "password" authentication and enabled pam_captcha, also known as using both belt and suspenders. I am also using fail2ban to filter out offenders. Fail2ban has really helped keeping the /var/log/secure log down to a resonable level.

Jordan Sissel posted at Mon Jul 24 11:00:01 2006...
I agree regarding the 'better safe than sorry'

I use my own software (grok) to handle brute force attempts via log analysis aswell. Doing so keeps the signal-to-noise ratio in logs much more reasonable.

Though, grok is more general purpose so I use it for other kinds of things too.

Leave a reply

You need javascript enabled to use this form. Anti-spam efforts ongoing. Also, if the comment doesn't show up, it's because the form expired. Go back and copy your comment, reload the form, and resubmit. Apologies if this is a hassle, I'm just playing with antispam methods right now. If this insists on not working, please email me about it.

Name (required)
E-mail (optional, if you want me to be able to email you back)
URL (also optional)
Comment:

Search this site

Navigation

Metadata

Home About Resume My Code (SVN)

Articles

ARP Security Dynamic DNS with DHCP OpenLDAP+Kerberos+SASL PPP over SSH SSH Security: /bin/false Week of Unix Tools Work Efficiency

Projects

fex firefox tabsearch firefox urledit grok keynav liboverride newpsm (FreeBSD) nis2ldap pam_captcha poor man's backup Solaris audio utility xboxproxy xdotool xmlpresenter xpathtool misc scripts

Presentations

Yahoo! Hack Day '06 Unix Essentials Vi/Vim Essentials

Tag Cloud

Calendar

< July 2006 >
SuMoTuWeThFrSa
       1
2 3 4 5 6 7 8
9101112131415
16171819202122
23242526272829
3031     

Friends

BarCamp Kent Brewster Tantek Çelik John Resig Wesley Shields Tyler Shields

Technorati