LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 05-24-2006, 09:44 AM   #1
ridwan77
LQ Newbie
 
Registered: Mar 2006
Posts: 29

Rep: Reputation: 15
Unhappy illegal ssh login attempt killing me


hello there!

I'm new in linux.

I'm using slackware 8.0 for my mail server. for the last few months i'm facing huge illegal ssh login attempt in my server. I can't stop the ssh service cause i need it. but i want to allow some specific IPs only from where the ssh login can be done. from all other IP ssh will be denied. how to do it? can anyone please help me out?
 
Old 05-24-2006, 09:56 AM   #2
zaichik
Member
 
Registered: May 2004
Location: Iowa USA
Distribution: CentOS
Posts: 419

Rep: Reputation: 30
You could move your SSH port to something other than 22, for starters. In your sshd config file (on my systems it's /etc/ssh/sshd_config) you will want these entries:
Code:
Port 8945 # or something beside 22
Protocol 2
To allow logins only from specific IPs, you can add this to sshd_config:
Code:
AllowUsers *@1.2.3.4
That will only allow SSH logins from any user from IP address 1.2.3.4.

You can lock it down even tighter by disallowing direct root logins, and specifying a user in the line above. For example, create a user "ridwan77", add them to the group wheel, and include this in your sshd_config file:
Code:
AllowUsers ridwan77@1.2.3.4

PermitRootLogin no
In this case, only ridwan77 will be allowed to login, and then only from IP address 1.2.3.4. You can include netblocks in the AllowUser with

Code:
AllowUsers ridwan77@1.2.3.*
You will have to restart sshd to make any changes effective. Restarting sshd will not kill your current session.
 
Old 05-24-2006, 10:21 AM   #3
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Since you're new to Linux and are using an older version of Slackware, you might want to upgrade your SSH package (if you haven't already).
 
Old 05-27-2006, 12:53 AM   #4
ridwan77
LQ Newbie
 
Registered: Mar 2006
Posts: 29

Original Poster
Rep: Reputation: 15
Dear zaichik,

Thanks for your quick reply.
You said "For example, create a user "ridwan77", add them to the group wheel, and include this in your sshd_config file" .... I'm confused about adding to the group wheel. how to do that please describe


-Ridwan
 
Old 05-27-2006, 12:58 AM   #5
gabsik
Member
 
Registered: Dec 2005
Location: italia
Distribution: Debian etch stable
Posts: 534

Rep: Reputation: 30
Read this ...
 
Old 05-27-2006, 07:18 AM   #6
ridwan77
LQ Newbie
 
Registered: Mar 2006
Posts: 29

Original Poster
Rep: Reputation: 15
hello zaichik,

I have added the following lines in my /etc/ssh/sshd_config file:

AllowUsers ridwan77@192.168.222.*
PermitRootLogin no


and then i killed the sshd daemon and start it again. but i can't login and the log is showing the following messages:

May 27 18:07:01 mail sshd[612]: input_userauth_request: illegal user ridwan77
May 27 18:07:01 mail sshd[612]: Failed none for illegal user ridwan77 from 192.1
68.222.10 port 2232 ssh2
May 27 18:07:01 mail sshd[612]: Failed keyboard-interactive for illegal user rid
wan77 from 192.168.222.10 port 2232 ssh2
May 27 18:07:09 mail sshd[612]: Failed password for illegal user ridwan77 from 1
92.168.222.10 port 2232 ssh2


would u please tell me what to do now ?

- Ridwan
 
Old 05-27-2006, 11:00 AM   #7
zaichik
Member
 
Registered: May 2004
Location: Iowa USA
Distribution: CentOS
Posts: 419

Rep: Reputation: 30
Did you add the Unix user ridwan77?
Code:
useradd ridwan77
passwd ridwan77
and then enter a good, secure password for the user (at least 10 characters, combination of upper- and lower-case letters, numerals, and special characters).

Don't forget to add the user to wheel. Edit /etc/group, and the line that says something like (probably)
Code:
wheel:x:10:root
change to
Code:
wheel:x:10:root,ridwan77
No spaces on either side of that comma there.
 
Old 05-28-2006, 08:22 PM   #8
joseph
Member
 
Registered: Jun 2003
Location: Batam
Distribution: Ubuntu 10 And Linux Mint
Posts: 414

Rep: Reputation: 30
Why not using an iptables to prevent it ???
 
Old 05-30-2006, 02:20 AM   #9
ridwan77
LQ Newbie
 
Registered: Mar 2006
Posts: 29

Original Poster
Rep: Reputation: 15
hi zaichik,

At last it worked. Thanks for your assistance


Ridwan
 
Old 05-30-2006, 03:27 AM   #10
juanbobo
Member
 
Registered: Mar 2005
Location: Chicago
Distribution: Gentoo AMD64
Posts: 365

Rep: Reputation: 30
Since you don't always know the IPs of the machines you'll be using to log in to your server, I think using iptables to limit connection attempts is a better solution, it's not very difficult. Here is a link explaining how:

http://www.tummy.com/journals/entrie...0050724_172920
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Limit login attempt using JSP or JAVASCRIPT jun_tuko Programming 1 01-17-2006 11:24 AM
Killing an SSH Session chatmasta Linux - Networking 4 07-03-2005 09:44 AM
Still getting 'illegal' ssh messages harken Linux - Security 10 02-18-2005 04:57 AM
hosts.deny doesn't block an SSH attempt vmattila Linux - Security 4 11-14-2004 12:18 PM
wrong login attempt limits jester_69 Linux - General 1 10-13-2003 01:57 PM


All times are GMT -5. The time now is 06:58 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration