Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi! I am currently having someone try to brute force their way into my system via ssh. I need ssh opened by default so that I can remotely manage my system when I am away. Here is an example of my secure log file. This user has been trying root logins to a-z login names.
Jan 29 07:20:47 bigblue sshd[13110]: Did not receive identification string from 219.254.35.71
Jan 29 07:32:19 bigblue sshd[13279]: Failed password for root from 219.254.35.71 port 60419 ssh2
Jan 29 07:32:23 bigblue sshd[13282]: Failed password for root from 219.254.35.71 port 60727 ssh2
Jan 29 07:32:27 bigblue sshd[13285]: Failed password for root from 219.254.35.71 port 33149 ssh2
Jan 29 07:32:32 bigblue sshd[13290]: Failed password for root from 219.254.35.71 port 33816 ssh2
Jan 29 07:32:36 bigblue sshd[13293]: Failed password for root from 219.254.35.71 port 34448 ssh2
Jan 29 07:32:40 bigblue sshd[13295]: Failed password for root from 219.254.35.71 port 35113 ssh2
Jan 29 07:32:44 bigblue sshd[13298]: Failed password for root from 219.254.35.71 port 35757 ssh2
Jan 29 07:32:49 bigblue sshd[13301]: Failed password for root from 219.254.35.71 port 36423 ssh2
Jan 29 07:32:53 bigblue sshd[13304]: Failed password for root from 219.254.35.71 port 36748 ssh2
Jan 29 07:32:57 bigblue sshd[13306]: Failed password for root from 219.254.35.71 port 37394 ssh2
Jan 29 07:33:02 bigblue sshd[13309]: Failed password for root from 219.254.35.71 port 37807 ssh2
Jan 29 07:33:06 bigblue sshd[13311]: Failed password for root from 219.254.35.71 port 38078 ssh2
Jan 29 07:33:10 bigblue sshd[13315]: Failed password for root from 219.254.35.71 port 38338 ssh2
I have prevented root login via ssh and also deleted a variety of default users from the system.
FTP users have been chrooted and have no login privileges. I have traced the IP and it appears to be from Asia somewhere specifically somewhere in Seoul Korea. I have found it that this sytem has ftp open on this users box as well. Long story short I would like to blacklist this IP from ever being able to perform brute force into my system. Is there anyway that I could accomplish this such as denying the IP.
you could put an entry in the /etc/host.deny file. I've never used it but I know it's possible. If you google it a bit and search the forums I'm sure you'll find the correct format. Hope this helps
Are you using iptables for your firewall? You can block IP addresses that way. Alternatively, if you set up ssh to only allow access with keys, then it doesn't matter how many passwords they try.
I've long given up on trying to block those that scan my box. I use very strong passwords and only two usernames are allowed to log in (and those are somewhat obscure as well). So far, no scan has even hit my usernames. At some point, I might go to public keys, if I can find a format I can put on my thumbdrive for use with OpenSSH, PuTTY, and the commercial SSH.
Thanks for the tips, I'll do some more research on the SSH keys. That might do the trick. However I would just love to stop the brute forcer in his/her track when she's pounding away at my box. It would give me more satisfaction.
I've been using a perl program called sshblack that monitors your logs for this kind of nonsense and then modifies your iptables firewall to drop them once detected. I've got it set up so after 3 or 4 of these attempted logins, their IP address gets dropped at the firewall. It has DEFINITELY cleaned up my logs.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.