Search this site


Metadata

Articles

Projects

Presentations

Is pam_captcha worth using? (Securing your sshd)

In /var/log/auth.log today, I see:
Jul 19 04:37:21 dns sshd[5072]: Invalid user test from 211.154.254.73
Jul 19 04:37:22 dns sshd[5074]: Invalid user guest from 211.154.254.73
Jul 19 04:37:26 dns sshd[5080]: Invalid user user from 211.154.254.73
No authentication failures, just invalid user notifications.

FreeBSD has (for a while?) disabled simple "password" authentication in it's base sshd config. What does this mean? If client connects requesting only "password" authentication, it will be rejected. Period. Example:

dns(~) !255! % ssh -o "PreferredAuthentications password" [email protected]
Permission denied (publickey,keyboard-interactive).
If you check /var/log/auth.log, you'll see:
Jul 19 06:10:32 dns sshd[5403]: Invalid user happytest from 192.168.0.252
However, try the same with a valid user. Nothing is logged (by default). Still, you are denied outright.

The important point, is that I guess pam_captcha is not necessary at this time. Every ssh client I have used has supported both public-key and keyboard-interactive authentication, so disabling 'password' everywhere should be a viable option. FreeBSD disables password auth by default, and no one seems to be complaining.

If you're worried about brute force attacks over ssh, then just disable 'password' authentication. In sshd_config:

PasswordAuthentication no
This probably requires that you use public-key or keyboard-interactive (PAM) to authenticate. Keeps normal users happy, and blocks brute force bots. That is, until the bot scripts are updated to use keyboard-interactive, perhaps? Who knows...

pam_captcha 1.2 updated

This update fixes a few potential bugs and cleans up some other issues. I removed the 'cowsay' requirement and made the math and dda captchas compile-time options.

Check out the project page for information on pam_captcha and downloading it.
pam_captcha

pam_captcha, release 1.0

I've been working on some code cleanups and documentation for pam_captcha. I put the code up for download if anyone's interested. There's no pretty project description page, yet. This updated added syslog logging of captcha failures to LOG_AUTHPRIV for happy audit trails.

I also put pam_captcha on one of my servers to see what happens. I use SSH keys so I'll never see the captcha stuff. I'm interested to see what kinds of brute force attempts get thwarted.

projects/pam_captcha

pam_captcha, round 3

I finally got around to adding math support and reworking the innards of pam_captcha to work better. In the process I fixed a few serious bugs (the crashy type).

This update adds a new feature I call, "Dance Dance Authentication." This entails having a user perform a given physical task. This task is read from a list of tasks I provide. These tasks include such things as singing "I'm a little teapot" loudly, defining terms on the whiteboard, and other annoying and entertaining tasks.

I wholely realize that the physical task captcha has absolutely NO real-world uses or purposes. I wrote this part for the SPARSA competition, however. However, I think it was worth it if you compare the time spent writing code (a few hours) versus how hilarious it is going to be to watch fellow competitors singing songs just to attempt logins to my ssh service or just see the "wtf"-type faces.

Here's a screenshot:

pam_captcha, round two

I'm pleased to say that pam_captcha now works under both FreeBSD 6.0 and Linux 2.6.12 (Gentoo).

I'll put up a project page later.

Yay :)

pam_captcha, The Human Challenge, version 1

I'll publish the code that makes this happen later this week when it's finished. At any rate, it's a fun pam module that requires you to pretty much be a human when SSH'ing somewhere.