Yes, a sample iptables script would be:

Obviously you would modify the IPs as shown above. I also like to log connection acceptance and dropping.

Hope this helps.

Awesome!

Cheers!

By the way, those log file entries are located in /var/log/messages just in case you wondered.

Ooops, sorry, this was a reply to an earlier post....

Of course. You could do something like this (with three bogus hosts here as an example):

Assuming you had already done something like an:

which sets the "policy" for your input chain to "DROP". That way anything that doesn't get caught by an explicit ACCEPT rule will get dropped.

I find this doesn't work for me because I use too many dynamic hosts to access my machine -- dial-ups, mooched wi-fi, DSL, etc. I would have to go in and fiddle my iptables a couple of times a day.

Although it is a bit more risky, if you know your ISP has a block at, say, 192.168.0.0 - 192.168.255.255 you can of couse use standard notation in iptables:


This opens it up to more addresses but still blocks off a huge portion of the Internet.

One comment on flipcode's post, I don't know if that will work without the -A or -I command. The -t filter is optional, but I don't think the actual "append" or "insert" command is.... not sure.

Quick question I edited my sshd_config file but my logs apper different than others who have posted and are blocking them...

This is what I have:
Dec 30 14:00:53 www sshd[12565]: Invalid user blue from ::ffff:201.128.98.208
Dec 30 14:00:53 www sshd[12565]: error: Could not get shadow information for NOUSER
Dec 30 14:00:53 www sshd[12565]: Failed password for invalid user blue from ::ffff:201.128.98.208 port 46485 ssh2
Dec 30 14:00:53 www sshd[12567]: rexec line 96: Deprecated option RhostsAuthentication
Dec 30 14:00:55 www sshd[12567]: Invalid user red from ::ffff:201.128.98.208
Dec 30 14:00:55 www sshd[12567]: error: Could not get shadow information for NOUSER
Dec 30 14:00:55 www sshd[12567]: Failed password for invalid user red from ::ffff:201.128.98.208 port 46527 ssh2
Dec 30 14:00:56 www sshd[12569]: rexec line 96: Deprecated option RhostsAuthentication
Dec 30 14:00:58 www sshd[12569]: Invalid user yellow from ::ffff:201.128.98.208
Dec 30 14:00:58 www sshd[12569]: error: Could not get shadow information for NOUSER

where I would feel more confortable if my logs appard like this:
Oct 4 11:33:34 atr2 sshd[3251]: User root not allowed because listed in DenyUsers
Oct 4 11:33:34 atr2 sshd[3251]: Failed password for invalid user root from 4.28.181.157 port 50314 ssh2

Also, how can I get a summary such as this:
61.184.104.236 -j DROP # illegal ssh login attempt 22.9.2004
218.232.104.41 -j DROP # illegal ssh login attempt 22.9.2004
201.10.45.4 -j DROP # illegal ssh login attempt 23.9.2004
218.188.9.51 -j DROP # illegal ssh login attempt 23.9.2004
148.215.14.181 -j DROP # illegal ssh login attempt 24.9.2004
70.240.3.138 -j DROP # illegal ssh login attempt 24.9.2004

Thanks
R

just read a nice little article and then did some more reading on this subject.

/etc/ssh/sshd_config
AllowGroups
This keyword can be followed by a list of group name patterns, separated by spaces. If specified, login is
allowed only for users whose primary group or supplementary group list matches one of the patterns. '*'
and '?' can be used as wildcards in the patterns. Only group names are valid; a numerical group ID is not
recognized. By default, login is allowed for all groups.

AllowUsers
This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is
allowed only for user names that match one of the patterns. '*' and '?' can be used as wildcards in the
patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed
for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked,
restricting logins to particular users from particular hosts.

that should help alot of people out.

One person asked whether or not the entire IP block should be blocked in the firewall or just the individual offender.

I think a sensible policy would be to report the offending IP address to the ISP. If the ISP doesn't address the problem, then don't trust any address from that IP block.

This would be fine except about 80% of my attackers don't have a reverse DNS entry so one is left to guess who they belong to. It is true that most of these machines are trojaned and it would be a good idea to let the owner know.
I have reported a few that belong to universities around the world and got replies from a few of them. Basically if the address doesn't reverse or it shows up in China or Asia, I just block it and forget about it. If the owner doesn't care enough to set up their DNS entries correctly, I can't help them with their trojan problems.

I don't think there is any use in blacklisting entire netblocks. This is a per-machine problem, not organized groups of hackers. Spammers are where you want to blacklist the entire netblock.

Just my $0.02....

The rational behind my suggestion is that if the organization owning the block is indifferent to abuse by its members, then the entire organization shouldn't be trusted and could be rightly considered a hacker's haven. Admittedly this situation is most likely a rare case, but maybe not for certain geographic locations.

this seems to be a nice little script for those that are really paranoid about there ssh port.

http://www.undersea.net/seanm/softwa...-access.tar.gz

take a look at the README in it. it tells you how to set the whole thing up.

you might have to wget it.

My machine has also been attempted on.

I know debate on counter measure is on going. Basically I see 2 category of counter measure.

1. Hardening the system. Including using non-standard port but not limited to that.
2. Block access. At firewall OR host.deny/host.allow.

Now, I am interested with the source of attack. It has been debated whether to block the whole net block or just the attacker IP. It would be good if we can consolidate the IPs which attacker is coming from. At least we can try to analysis the source satistically. It would also form a database for those who wants to use Blocking measure. Admins here can also analyze the treats pose by the Net Block (IP range owner).

I don't think it is too difficult, just write a script to gather all attacker's IPs and filter out duplicates. I am willing to host the list on a webhosting account I have.

the whole thing about building a db for this, is that basically all of these are coming from dynamic ip's, or from compromised machines.

i've had attempts from all over the world, u.s., japan, china, poland, cz republic, so they're from all over. one of the best things that you can do is to set up a mailing script, which i'm going to work on now, to email the isp of the address telling them what is going on.

from a couple of replies that i've received back from the isp's, is to put the log output into the text of the file and not as an attachment. i had one that wouldn't receive it as an attachment.

cheers.

RE: one of the best things that you can do is to set up a mailing script, which i'm going to work on now, to email the isp of the address telling them what is going on"

I really can't believe what I am reading here. Are we proposing sending automated emails to ISP's to inform them of automated ssh scripts? At what point would this include reporting someone wget'ing something off your web server or nmap'ing your server? Where do search bots come into the picture?

I am of the opinion that the best approach is to learn how to properly secure the system so these trivial scripts and their results become un-interesting to their authors. I do not want some "ISP authority" telling me I cant do something on the internet "cause someone reported me".

Remember, since there is quite a long wait in response to an incorrect login these scripts place virtually no load on the system.

Cheers

Jan 23 08:21:40 prometheus sshd[32496]: Illegal user robert from ::ffff:66.79.171.190
Jan 23 08:21:41 prometheus sshd[32502]: Illegal user coolboy from ::ffff:66.79.171.190
Jan 23 08:21:42 prometheus sshd[32504]: Illegal user derek from ::ffff:66.79.171.190
Jan 23 08:21:43 prometheus sshd[32506]: Illegal user james from ::ffff:66.79.171.190
Jan 23 08:21:45 prometheus sshd[32508]: Illegal user james from ::ffff:66.79.171.190
Jan 23 08:21:46 prometheus sshd[32510]: Illegal user james from ::ffff:66.79.171.190
Jan 23 08:21:48 prometheus sshd[32512]: Illegal user lisa from ::ffff:66.79.171.190
Jan 23 08:21:49 prometheus sshd[32514]: Illegal user mario from ::ffff:66.79.171.190
Jan 23 08:21:51 prometheus sshd[32516]: Illegal user martin from ::ffff:66.79.171.190
Jan 23 08:21:53 prometheus sshd[32518]: Illegal user sonya from ::ffff:66.79.171.190
Jan 23 08:21:55 prometheus sshd[32520]: Illegal user tony from ::ffff:66.79.171.190
Jan 23 08:21:57 prometheus sshd[32522]: Illegal user just from ::ffff:66.79.171.190
Jan 23 08:22:00 prometheus sshd[32524]: Illegal user justice from ::ffff:66.79.171.190
Jan 23 08:22:02 prometheus sshd[32530]: Illegal user bank from ::ffff:66.79.171.190
Jan 23 08:22:03 prometheus sshd[32532]: Illegal user vip from ::ffff:66.79.171.190

so if i'm looking into my logs for this kind of thing, which wget doesn't make, then you're trying to tell me that i shouldn't be sending an alert to the isp?

what is that +i for?