LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   illegal ssh login attempt killing me (http://www.linuxquestions.org/questions/linux-security-4/illegal-ssh-login-attempt-killing-me-448076/)

ridwan77 05-24-2006 09:44 AM

illegal ssh login attempt killing me
 
hello there!

I'm new in linux.

I'm using slackware 8.0 for my mail server. for the last few months i'm facing huge illegal ssh login attempt in my server. I can't stop the ssh service cause i need it. but i want to allow some specific IPs only from where the ssh login can be done. from all other IP ssh will be denied. how to do it? can anyone please help me out?

zaichik 05-24-2006 09:56 AM

You could move your SSH port to something other than 22, for starters. In your sshd config file (on my systems it's /etc/ssh/sshd_config) you will want these entries:
Code:

Port 8945 # or something beside 22
Protocol 2

To allow logins only from specific IPs, you can add this to sshd_config:
Code:

AllowUsers *@1.2.3.4
That will only allow SSH logins from any user from IP address 1.2.3.4.

You can lock it down even tighter by disallowing direct root logins, and specifying a user in the line above. For example, create a user "ridwan77", add them to the group wheel, and include this in your sshd_config file:
Code:

AllowUsers ridwan77@1.2.3.4

PermitRootLogin no

In this case, only ridwan77 will be allowed to login, and then only from IP address 1.2.3.4. You can include netblocks in the AllowUser with

Code:

AllowUsers ridwan77@1.2.3.*
You will have to restart sshd to make any changes effective. Restarting sshd will not kill your current session.

unixfool 05-24-2006 10:21 AM

Since you're new to Linux and are using an older version of Slackware, you might want to upgrade your SSH package (if you haven't already).

ridwan77 05-27-2006 12:53 AM

Dear zaichik,

Thanks for your quick reply.
You said "For example, create a user "ridwan77", add them to the group wheel, and include this in your sshd_config file" .... I'm confused about adding to the group wheel. how to do that please describe


-Ridwan

gabsik 05-27-2006 12:58 AM

Read this ...

ridwan77 05-27-2006 07:18 AM

hello zaichik,

I have added the following lines in my /etc/ssh/sshd_config file:

AllowUsers ridwan77@192.168.222.*
PermitRootLogin no


and then i killed the sshd daemon and start it again. but i can't login and the log is showing the following messages:

May 27 18:07:01 mail sshd[612]: input_userauth_request: illegal user ridwan77
May 27 18:07:01 mail sshd[612]: Failed none for illegal user ridwan77 from 192.1
68.222.10 port 2232 ssh2
May 27 18:07:01 mail sshd[612]: Failed keyboard-interactive for illegal user rid
wan77 from 192.168.222.10 port 2232 ssh2
May 27 18:07:09 mail sshd[612]: Failed password for illegal user ridwan77 from 1
92.168.222.10 port 2232 ssh2


would u please tell me what to do now ?

- Ridwan

zaichik 05-27-2006 11:00 AM

Did you add the Unix user ridwan77?
Code:

useradd ridwan77
passwd ridwan77

and then enter a good, secure password for the user (at least 10 characters, combination of upper- and lower-case letters, numerals, and special characters).

Don't forget to add the user to wheel. Edit /etc/group, and the line that says something like (probably)
Code:

wheel:x:10:root
change to
Code:

wheel:x:10:root,ridwan77
No spaces on either side of that comma there.

joseph 05-28-2006 08:22 PM

Why not using an iptables to prevent it ???

ridwan77 05-30-2006 02:20 AM

hi zaichik,

At last it worked. Thanks for your assistance


Ridwan

juanbobo 05-30-2006 03:27 AM

Since you don't always know the IPs of the machines you'll be using to log in to your server, I think using iptables to limit connection attempts is a better solution, it's not very difficult. Here is a link explaining how:

http://www.tummy.com/journals/entrie...0050724_172920


All times are GMT -5. The time now is 09:41 AM.