Hello,

I would like to ask you for suggestion. I have a server, which gets regularly attack via ssh. Of course, I block the user after several unsuccessful logins via fail2ban but I would like to go further.

Usually, I can't track the IP. Traceroute ends somewhere in China or stops after hitting 30 or 40 hops leading nowhere. However, from time to time I can easily track the user, last example was a static IP from Italy (probably script kiddie, because he/she tried it two times in two weeks, not typical for a botnet). I contacted the ISP (one of the Italian biggest), they said they are going to investigate the situation and didn't reply any more.

I believe users are responsible for their computers, especially that they have to deploy a certain level of minimal security. It's is similar to having a lock-and-loaded assault rifle lying in front of your door all the time without any security - you will be investigated by the police if somebody commits a murder with that gun.

So, I would like to ban these users, not just from my server, but on a global scale. If the ISP doesn't react, let's ban whole subnet. Why not? There are far to many computers to loose too many visitors or clients.

Is there any such 'global' blacklist for ssh, or possibly including all those ********* in botnets sending spam?

The ISP wont do anything.After all they are not responsible for that.Would be a different business if it was spam or a phishing website.I reported one of those the other day and it was down within 1 hour.

Stuff like that is going on all the time - no reason to get excited.

I don't think it is the responsibility of the ISP to manage what users do and do not do. Blocking a whole subnet is a problem, because what about innocent users.

I would suggest using public / private key authentication to improve security. Alternatively, use your firewall to limit SSH access to only those IP addresses that require it.

--Ian

Security is not a problem, attackers are banned after three wrong passwords / usernames.

However, I think there is no way to make users secure their computers in first place, so making their life harder by forcing their ISP to send them emails / letters is much better (and if ISP's don't do anything - let's ban whole subnet, all of their customers won't have access to the server - why not?)

Yeah, real clever. Then I can just borrow a computer (like at a library), ssh three times and BAM! The entire subnet can't access tons of sites (assuming someone would actually go through with this).

And honestly, you want to go after someone for sshing twice to your server? I, for one, think continuous attacks actually improves security in the long run.

try hosts.allow...

block all sshd and any other service that you want protected from everywhere except from where you specify.

Great. Now I can log to my server from an internet café when I'm hundreds of kilometres away and something bad happens (always when you don't need it) :-D

SOME ISPs won't. Some will. I've actually seen responses, but the situations were different, as the attackers weren't just scanning port 22...they were attempting broad scans or even attempting exploits.

The OP has a point. The IP block owners have some responsibility in ensuring people they sell services to adhere to the TOS that every company has. It's either that, or nothing ever gets cleaned from being infected or trojaned...or no one ever gets their hands smacked for doing something that isn't condoned on the network. But where the OP gets a bit lost is the fact that its really not good to ban whole ranges of IPs. I believe someone in this thread mentioned attacking via a public library machine. Imagine if library netblocks were banned at a global level...people can't learn or conduct legitimate research, and all because of one user doing something bad and getting the whole library IP space banned. Not good.

Use SSH key authentication...that'll stop a majority of the scans right off the bat. Configure your firewall to only allow certain traffic from certain IPs. Use tcp-wrappers if you want, or fail2ban or something similar (bruteforceblocker or sshguard). There are other ways to harden your machines.

Use Telnet. No one ever looks there anymore.

Move it off port #22 and don't allow passwords for network logins and no one can attempt passwords for network logins.

I used to tarpit scans to tcp/22, but since they calmed down alot now tarpit is busy with that SAV worm thingy on 2967/tcp.

Years ago, before I did the above, I had this guy connect to sshd and sit there trying passwords. I think it was something like 12 minutes from start to finish, and he filled pages and pages of logs with dumb logins like 'www' and 'god' and 'John'. When I sent the logs to his ISP, they replied back and said they terminated his account...

@OP: if you really are set on allowing passworded ssh to everywhere on the default port, at least put a port-knock sequence in front of it.