How To‎ > ‎

Securing SSH access with pam captcha

Anyone who runs their SSH service on the default port, and have it accessable to the world, should by now noticed the huge amount of mindless banging on the door in terms of automated attempts to gain access to your system by guessing the password for (possible) user accounts. This is not a danger in it self, as long as you have strong passwords on your accounts.

There are several places on the net telling you to change the port SSHd is listening to, or install some firewall modifying scripts that denies access to the system after the fact. Both approaches works, but isn't IMHO "clean".

Then I found pam_captcha, and it seems like my worries are over. pam_captcha is a ascii-art captcha system (you know, sometimes on the web you need to enter some text that are written, very often deformed, in an image) that utilities figlet (a text to ascii-art program) to make sure there is a human at the keyboard while going for keyboard interactive password authentication. A session can look like this:

One caveat with the system is that sometimes figlet doesn't generate the most readable ascii-art captchas, but on the other hand you don't want something that can be bypassed with a OCR software either. A limitation in the technique, so to speak. The PAM module was easy to compile and install, but it has the path to figlet is hard coded into the source code and it needs to be changed on most standard Linux installations.

The documentation is sparse, but performs it's intended use. I don't have much to complain about when it comes to the functionality of the software. Do yourself a favor and get this one installed to make sure that no 2-bit script kiddie can compromise your system due to some user choosing a poor password.


Comments