Hi,

I have a situation. I have these ip addresses that are attacking by box. They are trying to log into ssh with a user and pass and it fails. What I want to do is block them after a certain IP fails to log in after 3 tries. However I do not want to lock the user because they are attacking my user etc. Is this possible?

Thanks,
Steve

I have read (but of course don't remember ) several articles talking about how to do this, so I know solutions are out there. This article talks about one such solution about half way down the page. For other solutions, try entering the word iptables and the phrase ssh attack in a search engine. Or perhaps come up with better search terms.

EDIT: As fate would have it, I just ran across one of solutions that I couldn't remember the name of ... From Fail2ban's website:

The article I was reading says it works for ssh and does exactly what you are asking. Bans can be temporary or permanent. You can protect selected IP addresses from being banned via a whitelist. Cheers.

Ok thanks for your input, I will check it out.
Steve

I'd suggest you try Denyhosts which is an application specifically designed to block SSH attacks.

The app can be run with a Cron or a Daemon, and basically allows you to configure the app to block failed attempts to your SSH service. It sends offending IPs to the hosts.deny file and allows you to configure things differently for "root" or other users (i.e: If someone tries to login with root block them right away, but if you try to access with another account block the IP after 10 attempts and so on). The config file is pretty straightforward.

http://denyhosts.sourceforge.net/

If you Google "denyhosts tutorial" you'll find some useful articles about installing and configuring.

George

I tried denyhosts and it seems to works really well and it was very very easy to configure. I would recommend it to anyone. I'll check out the stats tonight to see how many attempts were made and then blocked. People were attacking by the thousands. I guess my next question is people are attacking my mailserver to see if it is an open relay server(which it is not), is there a way to block them. What are your opinions on IPCop?

Thanks

sba do you work for a company and getting attacked?

no i have a personal server why does that matter? I am still getting attacked. Within hours it was being attacked!!!

I played with it several hours a year or two ago and was favorably impressed, but I had no immediate need for it. I have also read favorable comments from other people. YMMV. If you have a spare computer laying around I would suggest you play around with it on that before deciding if you want to put it into production. Its requirements are quite minimal (particularly for simple testing), but it is designed to be the only thing on the box.

I don't know that IPCop would specifically help with your mail server being swarmed. Fail2ban might be better for this task unless you have only a small number of IP addresses that you want to allow to access your mail server. (I suppose you could run something like fail2ban on your IPCop box, but the developers of IPCop warn you to be very careful about adding additional software to make sure you don't inadvertently create a security hole.)

In /etc/ssh/sshd_config:
In /etc/hosts.deny:
In /etc/hosts.allow:
Read also
http://linux.about.com/od/commands/l...l5_hostsde.htm
http://www.linux.com/article.pl?sid=07/03/26/1423232