Hi! I am currently having someone try to brute force their way into my system via ssh. I need ssh opened by default so that I can remotely manage my system when I am away. Here is an example of my secure log file. This user has been trying root logins to a-z login names.

Jan 29 07:20:47 bigblue sshd[13110]: Did not receive identification string from 219.254.35.71
Jan 29 07:32:19 bigblue sshd[13279]: Failed password for root from 219.254.35.71 port 60419 ssh2
Jan 29 07:32:23 bigblue sshd[13282]: Failed password for root from 219.254.35.71 port 60727 ssh2
Jan 29 07:32:27 bigblue sshd[13285]: Failed password for root from 219.254.35.71 port 33149 ssh2
Jan 29 07:32:32 bigblue sshd[13290]: Failed password for root from 219.254.35.71 port 33816 ssh2
Jan 29 07:32:36 bigblue sshd[13293]: Failed password for root from 219.254.35.71 port 34448 ssh2
Jan 29 07:32:40 bigblue sshd[13295]: Failed password for root from 219.254.35.71 port 35113 ssh2
Jan 29 07:32:44 bigblue sshd[13298]: Failed password for root from 219.254.35.71 port 35757 ssh2
Jan 29 07:32:49 bigblue sshd[13301]: Failed password for root from 219.254.35.71 port 36423 ssh2
Jan 29 07:32:53 bigblue sshd[13304]: Failed password for root from 219.254.35.71 port 36748 ssh2
Jan 29 07:32:57 bigblue sshd[13306]: Failed password for root from 219.254.35.71 port 37394 ssh2
Jan 29 07:33:02 bigblue sshd[13309]: Failed password for root from 219.254.35.71 port 37807 ssh2
Jan 29 07:33:06 bigblue sshd[13311]: Failed password for root from 219.254.35.71 port 38078 ssh2
Jan 29 07:33:10 bigblue sshd[13315]: Failed password for root from 219.254.35.71 port 38338 ssh2

I have prevented root login via ssh and also deleted a variety of default users from the system.
FTP users have been chrooted and have no login privileges. I have traced the IP and it appears to be from Asia somewhere specifically somewhere in Seoul Korea. I have found it that this sytem has ftp open on this users box as well. Long story short I would like to blacklist this IP from ever being able to perform brute force into my system. Is there anyway that I could accomplish this such as denying the IP.

Thanks.

you could put an entry in the /etc/host.deny file. I've never used it but I know it's possible. If you google it a bit and search the forums I'm sure you'll find the correct format. Hope this helps

Thanks for hte reply, I'll give it a shot.

Are you using iptables for your firewall? You can block IP addresses that way. Alternatively, if you set up ssh to only allow access with keys, then it doesn't matter how many passwords they try.

I've long given up on trying to block those that scan my box. I use very strong passwords and only two usernames are allowed to log in (and those are somewhat obscure as well). So far, no scan has even hit my usernames. At some point, I might go to public keys, if I can find a format I can put on my thumbdrive for use with OpenSSH, PuTTY, and the commercial SSH.

Thanks for the tips, I'll do some more research on the SSH keys. That might do the trick. However I would just love to stop the brute forcer in his/her track when she's pounding away at my box. It would give me more satisfaction.

Thanks.

I've been using a perl program called sshblack that monitors your logs for this kind of nonsense and then modifies your iptables firewall to drop them once detected. I've got it set up so after 3 or 4 of these attempted logins, their IP address gets dropped at the firewall. It has DEFINITELY cleaned up my logs.

I don't remember who posted it, but have a look at http://www.hakusan.tsg.ne.jp/tjkawa/...er/index-e.jsp if you're using iptables. There's an easy way to get a shed-load of IP address ranges to block.