LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   How do I block IP's to prevent unauthorized SSH login attempts? (http://www.linuxquestions.org/questions/linux-security-4/how-do-i-block-ips-to-prevent-unauthorized-ssh-login-attempts-323154/)

leofoxx 05-13-2005 11:44 AM

How do I block IP's to prevent unauthorized SSH login attempts?
 
I'm still fairly new to linux. I have an old PII running FC3 that I use as a fileserver and internet router for my home network. I get constant attempts from multiple IP's to login to my server through ssh. Up to this point, I've just been blocking the IP's as I seem them in the logs by adding an Iptable entry, but this is becoming a pain.

Is there a better way? Maybe an automated one?

Hangdog42 05-13-2005 12:06 PM

Welcome to LQ!


Well, given that these attacks come from all over th IP address spectrum, your first effort should be towards making sure that SSH is securely locked down. Here are some suggestions:

- If you access ssh from already known IP addresses, re-write your firewall or use hosts.allow and hosts.deny to allow only those IP addresses (or address ranges) through

-Add an AllowUsers line to your sshd_config file. This means that ONLY the users listed on that line are allowed ssh access.

-Modify your sshd_config so that it uses public/private key authorization. That way only those who have a legitimate key on the system will have access.

-Make sure that you are only using the SSH 2 protocol (again, something you set in your sshd_config file).

Personally I use the last three methods and while I see almost daily attacks, the only thing they do is fill up my log file.

leofoxx 05-14-2005 01:36 AM

Thanks
 
Okay, I'll look into those, thanks.

Hangdog42 05-14-2005 09:02 AM

Of course I forgot to add the most important thing....If you're not using ssh at all, simply shut down the service. That will prevent any attack from getting through.

javaroast 05-14-2005 09:24 PM

Allow access only to specific IPs using IPtables. You will no longer see the log entries as connection attempts will be simply be blocked.

SSH="1.2.3.0/24 1.2.5.6 1.2.0.0/16 1.2.9.13"

for sip in $SSH
do
$IPT -A IN_FIREWALL -p tcp -s $sip --dport 22 -m state --state NEW -j ACCEPT
done

pedrobl 05-19-2005 09:11 AM

Check this site: http://www.pettingers.org/code/SSHBlack.html

It has a perl-script that automates what you are doing, i.e. after a configurable number of failed login attempts, it blocks for a configurable time the IP using iptables. I've been using it in a few servers and it works great!

I strongly recommend it. Cheers,

leofoxx 05-23-2005 09:36 PM

Cool, now that's what I'm talking about. Thanks. I'll give that one a try.


All times are GMT -5. The time now is 04:57 AM.