amuck-landowner

Captcha for your ssh login

chilicuil

New Member
pam_captcha.png
 
This pam module is product of Jordan Sissel [0] and it's so cool than I package it for Debian|Ubuntu, so.., on this tutorial I'll show you how to add captcha protection to your vps instances =)
 
Installation

$ sudo add-apt-repository ppa:chilicuil/sucklesstools
$ sudo apt-get update && sudo apt-get install libpam-captcha


Configuration
 
To enable this module, you'll need to edit /etc/pam.d/sshd and add to the first line the following:

auth requisite pam_captcha.so math randomstring

And then ensure than your /etc/ssh/sshd_config have the following options enabled:

PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes


You can still use Password auth but it doesn't make a lot of sense, since automated scripts can request this method and avoid captcha, so it's better to disable it, in the other hand if you use ssh key based auth the captcha will be skipped
 
After ensuring your settings are correct, you'll need to reboot the ssh service:
 
$ sudo service ssh restart
 
And that's all, most automated attacks will be reject it.
 
Feel free to grab the modified source at:
 
https://github.com/chilicuil/pam_captcha
 
Or the original at [0], if you liked the post rate it =)
 
[0] http://www.semicomplete.com/projects/pam_captcha
 
Last edited by a moderator:

peterw

New Member
I don't like to install scripts from third party repositories and it is not a good idea if you use fonts and figlet on different terminals. You should stop coding and keep your ceo work.


srand(time(NULL));

Meh code.
 

HalfEatenPie

The Irrational One
Retired Staff
While I probably wouldn't use this for a production server, I think this is a pretty fun and interesting thing here!
 

24/7/365

New Member
Verified Provider
I don't like to install scripts from third party repositories and it is not a good idea if you use fonts and figlet on different terminals. You should stop coding and keep your ceo work.


srand(time(NULL));

Meh code.
Is this bad C++ practice or just bad cryptographic practice?
 

peterw

New Member
Is this bad C++ practice or just bad cryptographic practice?
Both. If you are trying to run the program quickly in succession and get different random numbers each time, initializing with the current time is the wrong approach. Never run srand in loop or in subsequent calls. What he needs is a random source not a timestamp.


*captcha_list = malloc(len * sizeof(captcha_func_t));
memset(*captcha_list, 0, len * sizeof(captcha_func_t));

memset and pointers are bad. Easy example

Code:
   // Stack corruption! 4 bytes will be initialized not 2
   char chars[2]
   char *chars2 = chars ;
   memset(chars2, 0, sizeof(chars2)) ;
 

tchen

New Member
That memset point is a stylistic choice. The original uses sizeof struct, not sizeof on a pointer - perfectly valid and standard, especially with appropriate type naming.
 

KuJoe

Well-Known Member
Verified Provider
The only benefit this can add to a server is to prevent brute force attacks. An easier, less hassle method is to change your SSH port to something other than 22 which will reduce bruteforce attacks by 99.9999% as long as you don't post your SSH port publicly somewhere. For the other 0.0001% of attacks, Fail2Ban/Denyhosts will take care of them.

Of course, disabling passwords will prevent 100% of bruteforce attacks also. ;)
 
Last edited by a moderator:

dano

New Member
That is pretty neat -- been using two factor ssh logins with Authy on a few test machines, just wish SCP would act properly with it.
 

willie

Active Member
It's a cute idea though if it catches on, crackers will deploy code to recognize the characters.  I just use passwd -l to lock out password login completely, and rely on public key login. 
 

chilicuil

New Member
It's a cute idea though if it catches on, crackers will deploy code to recognize the characters.  I just use passwd -l to lock out password login completely, and rely on public key login. 
Yep, but since the code is quite simple, there could exist zillions of variations which could be fun for both, crackers and system administrators =), so far I've not found any automated robot who could pass the captcha successfully. The idea here is not to only rely on this technique to secure your servers but to use it when you don't available ssh key login. Or it's the case that everybody goes with their main laptop to everywhere?, I don't. And when I go with nothing but myself I still would like to login to my servers and captcha is only one more layer there to make it a little bit more secure.

Other methods such as Fail2Ban/Denyhosts or changing the default port are equally acceptable to further improve the security of your site.
 
Top
amuck-landowner