SSH tricks -- any way to block failed attempts by IP address

I just read the SSH attack post. I'm getting the same thing. What I want to know is can you block users who fail to login from the same IP?: I get plenty of failed attempts under different user names. Is there a way to block failed attempts from the same IP?

Just a thought.

Which post did you read? This one?: http://www.linuxquestions.org/questi...5&pagenumber=3

That wasn't the one I read, but thanks for pointing it out to me! There was a post to a link that was perfect.

-C

I was having the same problem. Most of the attacts are stupid coming to my servers. I got tired of having security monitoring system to drip all the time because of these so I moved SSH to a different port. Now, there is 0 login attempts. Recommended.

Thanks for the tip. I found a program called authfail that blocks users using iptables once they fail to login 4 times. Plus they get added to your hosts.deny list. It seems to work well.

Hi,

here's an easy fix. It drops new ssh connections coming from the same IP with less than 15s intervals (or any timeout you want). In my server, this has shown to stop the automated attempts on the first failed connection - and even if the attacker waits for the 15s, it makes brute-force attempts not practical.

For legit sessions, 15s is reasonable (at least for me) between session starts.

It's just two lines on the iptables configuration. No other change required:

iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --update --seconds 15 -j DROP
iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --set -j ACCEPT

(eth0 is my external interface; I'm not limiting intranet connections)

This assumes you already have
iptables -A INPUT -j ACCEPT -p tcp ! --syn -s <REMOTENET> -d <OUTERNET>
above that, to accept established connection packets.

BR,

Joao S Veiga

That's a good tip; I'll keep it for future reference. I found a script called "authfail" that basically does just that. It runs in the background and after 4 failed attempts it automatically drops their connections via iptables. Your method works very similarly.

Quote:

Originally posted by kuriharu I just read the SSH attack post. I'm getting the same thing. What I want to know is can you block users who fail to login from the same IP?: I get plenty of failed attempts under different user names. Is there a way to block failed attempts from the same IP?

There are many people that suggest to use all kind of tools that scan your logfiles and then add the IP to netfilter. However, if you run such a tool every 5 minutes, your attacker can still try passwords for 5 minutes.

Recent netfilter setups can do something much better: realtime blacklisting. Not done by an external script, but by netfilter itself, using the recent module. It will blacklist the host if there are (for example) more then 3 connects in 10 seconds. I use such a setup on several servers, and the attackers can only try one or two passwords before they get blocked.

There are several references to create such a setup:

http://olivier.sessink.nl/publicatio...ing/index.html

http://blog.blackdown.de/2005/02/18/...th-ipt_recent/

look up a program called denyhosts.

we have a lot of problems with ssh brute attacks. denyhost has helped a lot.

You can configure SSH to listen on another port. I had lots of brute attack logs on my box when ssh was set to listen on port 22. I have yet to see a log about an attack after I moved it, but that's not to say I won't ever get one.

Quote:

Originally Posted by devbro look up a program called denyhosts. we have a lot of problems with ssh brute attacks. denyhost has helped a lot.

That's great, but the OP stated nearly three years ago that he found a solution. Not sure why you'd wanna resurrect a three year old dead thread just to suggest DenyHosts, which is already mentioned in the Failed SSH login attempts sticky, along with almost every other thread about brute-force SSH login attempts. I'm closing this.