Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
due to the massive amount of ssh failed logins at an average of 1200 attempts daily from different IPAddresses at my webserver, i would like to block access to those IPAddresses who have had say 5 unsuccesful attempts. I can block an IPAddress through Iptables but since the IPAddress of the attacker changes everyday so it is not block the IPAddress.
Can anyone suggest me a way to block an IPAddress from Logging, once it has had 5 UNSUCCESSFUL login attempts
You probably don't wanna hear this, but its better to disable SSH logins completely and your problems go away.
If you must have SSH logins enabled, setup public key authentication. This will help you sleep better at night, because the only way they are gonna login to your box is if they have the correct key on their system.
There is a tutorial for setting up public key access here..
If you're still not satisfied, you can pay a visit to your /etc/hosts.deny and /etc/hosts.allow files. Using the proper syntax for these files, you can deny everyone access to SSH and then selectively allow certain IPs to access your SSH daemon. This will help if you know the IPs of all your valid SSH users. However, if one of your users wants to login from another IP, this isn't gonna work. He will need to email you with the new IP address so you can add it to hosts.allow.
Well that doesn't kind of solve my problem. i am already using public keys, but SSH login are must otherwise i might've to set up FTP access which is more insecure. Its a webserver so obviously developers have to log in to update their work. Since more or less they use dynamic Ip's so can't list em in hosts.allow.
If you just want to stop having your logs flooded with all these pathetic attempts, the simplest method appears to be to change the port that SSH listens on. Once you do this, you will obviously have to change any firewall rules and inform everyone who legitimately connects to your server(s) what port, and possibly how to specify it, to connect to.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.