this seems to be a nice little script for those that are really paranoid about there ssh port.
http://www.undersea.net/seanm/softwa...-access.tar.gz take a look at the README in it. it tells you how to set the whole thing up. you might have to wget it. |
A script
In case anyone is interested, I have created the following script that adds ip subnets to both the hosts.deny file and the iptables.
It actually adds an entire /24 subdomain (###.###.###.0/255.255.255.0). This is so people with dynamic ip addresses are more likely to be blocked when they renew the lease. IT DOES NOT BLOCK INVALID LOCAL USERS THAT ARE ON THE SAME CLASS C (/24) SUBNET AS THE SERVER AS DETERMINED BY COMMAND "hostname -i" Its limitations are as follows:- o It only compares "host.deny" and log file "secure" for new entries. o It updates a file with the iptables, which should be restored on reboot using iptables-restore o It has only been tested on RH ES linux and uses commands such as hostname, egrep etc. Some of these aren't fully qualified, so you should either edit the script accordingly, or make sure the PATH envronment variable includes the directories for these programs. It could do with being more efficient, but I just wanted something quick. Don't ask for support and use at your own risk. Code:
#!/bin/bash |
from looking at all of the scripts that have been wrote for updating the iptables and just blocking these attempts, i figured that i would share my script that actually tells someone (the isp) about these attempts.
you can get it here. this will ask you to save it. it's a 444 file, so you don't have to worry about it. other than that, do what others have suggested- sshd_config- AllowUsers - set this up properly it will disallow anyone not there set up usernames to more than just a first name set up good passwds set up dsa/rsa keys check your logs systems should be tightened up from the config files. if people aren't being proactive in their concerns about attempted break ins, they will keep happening. that is, if people are just configing their server, then these kids will keep spreading the scripts, and keep trying others and succeeding. i feel, it's an opinion, that if the isp doesn't know that this is happening from their blocks, even if it's an infected host, then nothing will change. we have a responsibility, as server operators, to keep the web safe for others and ourselves. when people are only focusing on their own systems security, and not helping others, then we might as well be running a bought os. |
Quote:
you can run the agent by Code:
ssh-agent /bin/bash instead of /bin/bash you can use your shell you feel comfortable with, personally I invoke bash with a different .bashrc so I know when I am in a shell running the agent after the agent is running you run ssh-add Code:
ssh-add if you now establish a ssh connection you should connect without any further authentication. to be on the secure side you can unload the keys out of the agent by running Code:
ssh-add -D Code:
ssh-add -L Code:
ssh-add -U Code:
ssh-add -l It is good practice to unload the keys before quiting the agent with exit. Here is my .bashrc which I use with ssh-agent Code:
export PS1="SSH-\u:\w>" Code:
ssh-agent /bin/bash -rcfile .bashsshrc |
authfail
I've been getting this crap for quite a while, I origionaly just changed the ssh port to a non-standard port but that only fended off some of them. I still came home to a flooded log. I found this program called authfail http://www.bmk.bz/?p=33 that worked great for me. It by default logs 4 failed ssh login attempts from the same ip then puts the ip into iptables -j DROP all realtime. I had to hack the hell out of it to make it work(it read the ip wrong, started kinda crummy, and a few other things, and i made it add the ip to hosts.deny also), but looking at the website it appears that its been updated since i got it so maybe that stuff is fixed. Anyway, it's made my logs a whole lot smaller and keeps people from continualy hammering away at my sshd while allowing real traffic in(even with a few failed logins).
|
//Moderator note: This thread is the abreviated version of a much larger original thread that can be found here. Only the most relevent post have been included in this version.
|
A recent Slashdot article discussed this issue and included a number of links to apps that looked interesting:
http://denyhosts.sourceforge.net/ http://www.csc.liv.ac.uk/~greg/sshdfilter/ http://www.hexten.net/sw/pam_abl/index.mhtml http://fail2ban.sourceforge.net/ Obviously use at your own risk. |
Our very own LQ mod Tinkster pointed out this tool that looks usefull as well:
http://www.aczoom.com/cms/blockhosts/ Thanks Tink! |
A quite complete summary of options from the makers of Samhain: Defending against brute force ssh attacks.
|
All times are GMT -5. The time now is 03:51 PM. |