LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-13-2005, 11:44 AM   #1
leofoxx
LQ Newbie
 
Registered: May 2005
Posts: 3

Rep: Reputation: 0
How do I block IP's to prevent unauthorized SSH login attempts?


I'm still fairly new to linux. I have an old PII running FC3 that I use as a fileserver and internet router for my home network. I get constant attempts from multiple IP's to login to my server through ssh. Up to this point, I've just been blocking the IP's as I seem them in the logs by adding an Iptable entry, but this is becoming a pain.

Is there a better way? Maybe an automated one?
 
Old 05-13-2005, 12:06 PM   #2
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,780
Blog Entries: 1

Rep: Reputation: 412Reputation: 412Reputation: 412Reputation: 412Reputation: 412
Welcome to LQ!


Well, given that these attacks come from all over th IP address spectrum, your first effort should be towards making sure that SSH is securely locked down. Here are some suggestions:

- If you access ssh from already known IP addresses, re-write your firewall or use hosts.allow and hosts.deny to allow only those IP addresses (or address ranges) through

-Add an AllowUsers line to your sshd_config file. This means that ONLY the users listed on that line are allowed ssh access.

-Modify your sshd_config so that it uses public/private key authorization. That way only those who have a legitimate key on the system will have access.

-Make sure that you are only using the SSH 2 protocol (again, something you set in your sshd_config file).

Personally I use the last three methods and while I see almost daily attacks, the only thing they do is fill up my log file.

Last edited by Hangdog42; 05-13-2005 at 12:07 PM.
 
Old 05-14-2005, 01:36 AM   #3
leofoxx
LQ Newbie
 
Registered: May 2005
Posts: 3

Original Poster
Rep: Reputation: 0
Thanks

Okay, I'll look into those, thanks.
 
Old 05-14-2005, 09:02 AM   #4
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,780
Blog Entries: 1

Rep: Reputation: 412Reputation: 412Reputation: 412Reputation: 412Reputation: 412
Of course I forgot to add the most important thing....If you're not using ssh at all, simply shut down the service. That will prevent any attack from getting through.
 
Old 05-14-2005, 09:24 PM   #5
javaroast
Member
 
Registered: Apr 2005
Posts: 130

Rep: Reputation: 18
Allow access only to specific IPs using IPtables. You will no longer see the log entries as connection attempts will be simply be blocked.

SSH="1.2.3.0/24 1.2.5.6 1.2.0.0/16 1.2.9.13"

for sip in $SSH
do
$IPT -A IN_FIREWALL -p tcp -s $sip --dport 22 -m state --state NEW -j ACCEPT
done
 
Old 05-19-2005, 09:11 AM   #6
pedrobl
LQ Newbie
 
Registered: Sep 2004
Distribution: ubuntu, fedora, mint, android
Posts: 2

Rep: Reputation: 0
Thumbs up

Check this site: http://www.pettingers.org/code/SSHBlack.html

It has a perl-script that automates what you are doing, i.e. after a configurable number of failed login attempts, it blocks for a configurable time the IP using iptables. I've been using it in a few servers and it works great!

I strongly recommend it. Cheers,
 
Old 05-23-2005, 09:36 PM   #7
leofoxx
LQ Newbie
 
Registered: May 2005
Posts: 3

Original Poster
Rep: Reputation: 0
Cool, now that's what I'm talking about. Thanks. I'll give that one a try.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh...log files that store the login attempts Bgrad Linux - Networking 4 03-29-2010 09:40 AM
SSH login attempts Capt_Caveman Linux - Security 225 11-07-2009 09:55 AM
SSH tricks -- any way to block failed attempts by IP address tensigh Linux - Security 10 06-06-2008 03:46 PM
Failed SSH login attempts Capt_Caveman Linux - Security 38 01-03-2006 03:22 PM
ssh login attempts from localhost?! sovietpower Linux - Security 2 05-29-2005 01:19 AM


All times are GMT -5. The time now is 02:12 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration