Hi.

I'm sitting with a quite annoying problem.
Some kids are trying to get into my SSH, and it's filling my logs daily to be over 5 MB.

My server is running Ubuntu 11.04 LTS.
I want to do, so that only those I approve can use port 22, and the current users has dynamic IP addresses, so my only option is to filter on MAC address.
We cannot get a static IP address at all, our ISP doesn't accept that, and we got no other options for ISPs.

I've tried with IPtables, but it works quite bad to be honest.
I added my own MAC address to start off with, then I added my brother's MAC address, and for some reason, I couldn't connect on port 22 at all.

Anyone who knows how to do this?

NB: The server is a VPS.

You can not filter based on MAC addresses over the Internet.

MAC filtering only works on the local network segment, as soon as you go though a router the only MAC address you will see is the MAC address of that router.

EDIT Handling dynamic IP's may not be that hard especially if your allocated an IP within a set IP block, you can just allow that IP block and most of the hack attempts will disappear.

Then how can I do it, without telling them to register through NoIP or others?
I don't want to add a new IP every day...

Say the IP's that you try and connect from change around but they look kinda like this list

192.168.20.123
192.168.20.32
192.168.20.98
192.168.21.100
192.168.21.34

Note how the first 2 are always 192.168

If you only see this level of variation you can allow 192.168.0.0/16, which will allow anything so long as the first 2 are 192.168

Your ISP will always allocate IP's from the same pool so you will see a pattern, you just need to find it and then allow it while blocking everything else.

I'm talking about external IPs, since my server is in Germany, while me and my brother is in Denmark.

So e.g. my IP is 85.218.131.21
Now, my problem is that both 218 and 131 is changing.
And I don't know what my brother's IP is atm.

Take a look at fail2ban.

http://www.fail2ban.org/wiki/index.php/Main_Page

Ignore the fact that my example was RFC internal IP's the same thing applies no matter what.

85.218.131.21

and you say 218 changes, changes to what, what is the variability
the same with 131, what does it change to what are the limits

When you know the limits of the variability you will have the basis for a rule that allows from that ISP but only that ISP.

218 has been 320 and others.
While 131 has been both 195 and 210

I don't really see any patterns at all.

It's 85.218.128.0/17 so you want "-m tcp -s 85.218.128.0/17 --dport 22 -m state --state NEW -j ACCEPT".

The simple solution I've been using for years for this problem (yes, specifically the log flooding) is to use a different non-standard port for SSH. Yes, it is obscurity which does not improve security ... in a technical sense. But I say it helps in that without flooding logs, it's easier to see the real issues that might exist in the logs. And so it is a bit more secure in the administrative sense (something too often overlooked in security design).

...and that's why you got log reporting tools. You know, Logwatch or an equivalent.

And these know which incidents are just people looking for another computer to "0wn" and which incidents are someone specifically attacking you?

You never tried Logwatch have you?

Kind of a bit if a risk but maybe set times for services so that it limits it to times when you would need access.

I am not sure if they are kids. All sorts of automated attacks run 24/7.