Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I have a situation. I have these ip addresses that are attacking by box. They are trying to log into ssh with a user and pass and it fails. What I want to do is block them after a certain IP fails to log in after 3 tries. However I do not want to lock the user because they are attacking my user etc. Is this possible?
I have read (but of course don't remember ) several articles talking about how to do this, so I know solutions are out there. This article talks about one such solution about half way down the page. For other solutions, try entering the word iptables and the phrase ssh attack in a search engine. Or perhaps come up with better search terms.
EDIT: As fate would have it, I just ran across one of solutions that I couldn't remember the name of ... From Fail2ban's website:
Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.
The article I was reading says it works for ssh and does exactly what you are asking. Bans can be temporary or permanent. You can protect selected IP addresses from being banned via a whitelist. Cheers.
Last edited by blackhole54; 06-06-2007 at 12:48 AM.
I'd suggest you try Denyhosts which is an application specifically designed to block SSH attacks.
The app can be run with a Cron or a Daemon, and basically allows you to configure the app to block failed attempts to your SSH service. It sends offending IPs to the hosts.deny file and allows you to configure things differently for "root" or other users (i.e: If someone tries to login with root block them right away, but if you try to access with another account block the IP after 10 attempts and so on). The config file is pretty straightforward.
I tried denyhosts and it seems to works really well and it was very very easy to configure. I would recommend it to anyone. I'll check out the stats tonight to see how many attempts were made and then blocked. People were attacking by the thousands. I guess my next question is people are attacking my mailserver to see if it is an open relay server(which it is not), is there a way to block them. What are your opinions on IPCop?
I played with it several hours a year or two ago and was favorably impressed, but I had no immediate need for it. I have also read favorable comments from other people. YMMV. If you have a spare computer laying around I would suggest you play around with it on that before deciding if you want to put it into production. Its requirements are quite minimal (particularly for simple testing), but it is designed to be the only thing on the box.
I don't know that IPCop would specifically help with your mail server being swarmed. Fail2ban might be better for this task unless you have only a small number of IP addresses that you want to allow to access your mail server. (I suppose you could run something like fail2ban on your IPCop box, but the developers of IPCop warn you to be very careful about adding additional software to make sure you don't inadvertently create a security hole.)
Last edited by blackhole54; 06-10-2007 at 12:06 AM.