SSH tricks -- any way to block failed attempts by IP address
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
SSH tricks -- any way to block failed attempts by IP address
I just read the SSH attack post. I'm getting the same thing. What I want to know is can you block users who fail to login from the same IP?: I get plenty of failed attempts under different user names. Is there a way to block failed attempts from the same IP?
I was having the same problem. Most of the attacts are stupid coming to my servers. I got tired of having security monitoring system to drip all the time because of these so I moved SSH to a different port. Now, there is 0 login attempts. Recommended.
Thanks for the tip. I found a program called authfail that blocks users using iptables once they fail to login 4 times. Plus they get added to your hosts.deny list. It seems to work well.
Distribution: debian on servers and embedded, kubuntu elsewhere
Posts: 31
Rep:
Hi,
here's an easy fix. It drops new ssh connections coming from the same IP with less than 15s intervals (or any timeout you want). In my server, this has shown to stop the automated attempts on the first failed connection - and even if the attacker waits for the 15s, it makes brute-force attempts not practical.
For legit sessions, 15s is reasonable (at least for me) between session starts.
It's just two lines on the iptables configuration. No other change required:
iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --update --seconds 15 -j DROP
iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --set -j ACCEPT
(eth0 is my external interface; I'm not limiting intranet connections)
This assumes you already have
iptables -A INPUT -j ACCEPT -p tcp ! --syn -s <REMOTENET> -d <OUTERNET>
above that, to accept established connection packets.
That's a good tip; I'll keep it for future reference. I found a script called "authfail" that basically does just that. It runs in the background and after 4 failed attempts it automatically drops their connections via iptables. Your method works very similarly.
Re: SSH tricks -- any way to block failed attempts by IP address
Quote:
Originally posted by kuriharu I just read the SSH attack post. I'm getting the same thing. What I want to know is can you block users who fail to login from the same IP?: I get plenty of failed attempts under different user names. Is there a way to block failed attempts from the same IP?
There are many people that suggest to use all kind of tools that scan your logfiles and then add the IP to netfilter. However, if you run such a tool every 5 minutes, your attacker can still try passwords for 5 minutes.
Recent netfilter setups can do something much better: realtime blacklisting. Not done by an external script, but by netfilter itself, using the recent module. It will blacklist the host if there are (for example) more then 3 connects in 10 seconds. I use such a setup on several servers, and the attackers can only try one or two passwords before they get blocked.
There are several references to create such a setup:
You can configure SSH to listen on another port. I had lots of brute attack logs on my box when ssh was set to listen on port 22. I have yet to see a log about an attack after I moved it, but that's not to say I won't ever get one.
we have a lot of problems with ssh brute attacks. denyhost has helped a lot.
That's great, but the OP stated nearly three years ago that he found a solution. Not sure why you'd wanna resurrect a three year old dead thread just to suggest DenyHosts, which is already mentioned in the Failed SSH login attempts sticky, along with almost every other thread about brute-force SSH login attempts. I'm closing this.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.