How do I block IP's to prevent unauthorized SSH login attempts?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How do I block IP's to prevent unauthorized SSH login attempts?
I'm still fairly new to linux. I have an old PII running FC3 that I use as a fileserver and internet router for my home network. I get constant attempts from multiple IP's to login to my server through ssh. Up to this point, I've just been blocking the IP's as I seem them in the logs by adding an Iptable entry, but this is becoming a pain.
Well, given that these attacks come from all over th IP address spectrum, your first effort should be towards making sure that SSH is securely locked down. Here are some suggestions:
- If you access ssh from already known IP addresses, re-write your firewall or use hosts.allow and hosts.deny to allow only those IP addresses (or address ranges) through
-Add an AllowUsers line to your sshd_config file. This means that ONLY the users listed on that line are allowed ssh access.
-Modify your sshd_config so that it uses public/private key authorization. That way only those who have a legitimate key on the system will have access.
-Make sure that you are only using the SSH 2 protocol (again, something you set in your sshd_config file).
Personally I use the last three methods and while I see almost daily attacks, the only thing they do is fill up my log file.
Of course I forgot to add the most important thing....If you're not using ssh at all, simply shut down the service. That will prevent any attack from getting through.
It has a perl-script that automates what you are doing, i.e. after a configurable number of failed login attempts, it blocks for a configurable time the IP using iptables. I've been using it in a few servers and it works great!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.