LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Closed Thread
 
Search this Thread
Old 07-12-2005, 02:16 AM   #1
tensigh
Member
 
Registered: Mar 2004
Location: Tokyo, Japan
Distribution: Backtrack 5 R3
Posts: 141

Rep: Reputation: 15
SSH tricks -- any way to block failed attempts by IP address


I just read the SSH attack post. I'm getting the same thing. What I want to know is can you block users who fail to login from the same IP?: I get plenty of failed attempts under different user names. Is there a way to block failed attempts from the same IP?

Just a thought.
 
Old 07-12-2005, 09:29 AM   #2
makuyl
Senior Member
 
Registered: Dec 2004
Location: Helsinki
Distribution: Debian Sid
Posts: 1,107

Rep: Reputation: 53
Which post did you read? This one?: http://www.linuxquestions.org/questi...5&pagenumber=3
 
Old 07-12-2005, 10:21 AM   #3
tensigh
Member
 
Registered: Mar 2004
Location: Tokyo, Japan
Distribution: Backtrack 5 R3
Posts: 141

Original Poster
Rep: Reputation: 15
Thanks for the link!

That wasn't the one I read, but thanks for pointing it out to me! There was a post to a link that was perfect.

-C
 
Old 07-15-2005, 08:18 PM   #4
kuhazor
Member
 
Registered: Jul 2005
Posts: 36

Rep: Reputation: 15
Change the port

I was having the same problem. Most of the attacts are stupid coming to my servers. I got tired of having security monitoring system to drip all the time because of these so I moved SSH to a different port. Now, there is 0 login attempts. Recommended.
 
Old 07-16-2005, 01:42 AM   #5
tensigh
Member
 
Registered: Mar 2004
Location: Tokyo, Japan
Distribution: Backtrack 5 R3
Posts: 141

Original Poster
Rep: Reputation: 15
SSH login attempts

Thanks for the tip. I found a program called authfail that blocks users using iptables once they fail to login 4 times. Plus they get added to your hosts.deny list. It seems to work well.
 
Old 08-24-2005, 03:20 PM   #6
jsveiga
Member
 
Registered: Aug 2005
Location: Brazil
Distribution: debian on servers and embedded, kubuntu elsewhere
Posts: 31

Rep: Reputation: 1
Hi,

here's an easy fix. It drops new ssh connections coming from the same IP with less than 15s intervals (or any timeout you want). In my server, this has shown to stop the automated attempts on the first failed connection - and even if the attacker waits for the 15s, it makes brute-force attempts not practical.

For legit sessions, 15s is reasonable (at least for me) between session starts.

It's just two lines on the iptables configuration. No other change required:

iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --update --seconds 15 -j DROP
iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --set -j ACCEPT

(eth0 is my external interface; I'm not limiting intranet connections)

This assumes you already have
iptables -A INPUT -j ACCEPT -p tcp ! --syn -s <REMOTENET> -d <OUTERNET>
above that, to accept established connection packets.

BR,

Joao S Veiga
 
Old 08-25-2005, 11:27 AM   #7
tensigh
Member
 
Registered: Mar 2004
Location: Tokyo, Japan
Distribution: Backtrack 5 R3
Posts: 141

Original Poster
Rep: Reputation: 15
Thanks!

That's a good tip; I'll keep it for future reference. I found a script called "authfail" that basically does just that. It runs in the background and after 4 failed attempts it automatically drops their connections via iptables. Your method works very similarly.
 
Old 08-25-2005, 05:41 PM   #8
Pilez
LQ Newbie
 
Registered: Aug 2005
Posts: 5

Rep: Reputation: 0
Re: SSH tricks -- any way to block failed attempts by IP address

Quote:
Originally posted by kuriharu
I just read the SSH attack post. I'm getting the same thing. What I want to know is can you block users who fail to login from the same IP?: I get plenty of failed attempts under different user names. Is there a way to block failed attempts from the same IP?
There are many people that suggest to use all kind of tools that scan your logfiles and then add the IP to netfilter. However, if you run such a tool every 5 minutes, your attacker can still try passwords for 5 minutes.

Recent netfilter setups can do something much better: realtime blacklisting. Not done by an external script, but by netfilter itself, using the recent module. It will blacklist the host if there are (for example) more then 3 connects in 10 seconds. I use such a setup on several servers, and the attackers can only try one or two passwords before they get blocked.

There are several references to create such a setup:

http://olivier.sessink.nl/publicatio...ing/index.html

http://blog.blackdown.de/2005/02/18/...th-ipt_recent/
 
Old 06-06-2008, 12:54 PM   #9
devbro
Member
 
Registered: Jul 2005
Posts: 74

Rep: Reputation: 15
look up a program called denyhosts.

we have a lot of problems with ssh brute attacks. denyhost has helped a lot.
 
Old 06-06-2008, 03:45 PM   #10
Linux~Powered
Member
 
Registered: Jan 2004
Location: /lost+found
Distribution: Slack`er-current
Posts: 845

Rep: Reputation: 31
You can configure SSH to listen on another port. I had lots of brute attack logs on my box when ssh was set to listen on port 22. I have yet to see a log about an attack after I moved it, but that's not to say I won't ever get one.
 
Old 06-06-2008, 03:46 PM   #11
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by devbro View Post
look up a program called denyhosts.

we have a lot of problems with ssh brute attacks. denyhost has helped a lot.
That's great, but the OP stated nearly three years ago that he found a solution. Not sure why you'd wanna resurrect a three year old dead thread just to suggest DenyHosts, which is already mentioned in the Failed SSH login attempts sticky, along with almost every other thread about brute-force SSH login attempts. I'm closing this.
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Failed SSH login attempts Capt_Caveman Linux - Security 38 01-03-2006 03:22 PM
How do I block IP's to prevent unauthorized SSH login attempts? leofoxx Linux - Security 6 05-23-2005 09:36 PM
Linux 2.6 Module programming - failed first attempts introuble Programming 1 05-08-2005 12:24 PM
lock password after failed attempts... manudath Linux - Security 2 04-28-2005 10:55 AM
all attempts failed btb103 Linux - General 1 10-23-2001 05:31 PM


All times are GMT -5. The time now is 03:33 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration