Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 03-09-2005, 06:15 AM   #1
LQ Newbie
Registered: Jan 2004
Posts: 4

Rep: Reputation: 0
Blocking Ip's

due to the massive amount of ssh failed logins at an average of 1200 attempts daily from different IPAddresses at my webserver, i would like to block access to those IPAddresses who have had say 5 unsuccesful attempts. I can block an IPAddress through Iptables but since the IPAddress of the attacker changes everyday so it is not block the IPAddress.

Can anyone suggest me a way to block an IPAddress from Logging, once it has had 5 UNSUCCESSFUL login attempts

Thanx in Advance
Old 03-09-2005, 09:10 AM   #2
Registered: Aug 2003
Location: Little Rock, Arkansas
Distribution: RH, Fedora, Suse, AIX
Posts: 736

Rep: Reputation: 31
You probably don't wanna hear this, but its better to disable SSH logins completely and your problems go away.

If you must have SSH logins enabled, setup public key authentication. This will help you sleep better at night, because the only way they are gonna login to your box is if they have the correct key on their system.

There is a tutorial for setting up public key access here..

If you're still not satisfied, you can pay a visit to your /etc/hosts.deny and /etc/hosts.allow files. Using the proper syntax for these files, you can deny everyone access to SSH and then selectively allow certain IPs to access your SSH daemon. This will help if you know the IPs of all your valid SSH users. However, if one of your users wants to login from another IP, this isn't gonna work. He will need to email you with the new IP address so you can add it to hosts.allow.

Food for thought.
Old 03-10-2005, 03:51 AM   #3
LQ Newbie
Registered: Jan 2004
Posts: 4

Original Poster
Rep: Reputation: 0
Well that doesn't kind of solve my problem. i am already using public keys, but SSH login are must otherwise i might've to set up FTP access which is more insecure. Its a webserver so obviously developers have to log in to update their work. Since more or less they use dynamic Ip's so can't list em in hosts.allow.

Any other suggestions
Old 03-10-2005, 04:54 AM   #4
Senior Member
Registered: Jan 2003
Location: Portland, OR USA
Distribution: Slackware, SLAX, Gentoo, RH/Fedora
Posts: 1,024

Rep: Reputation: 45
This thread in the Security forum has beat this horse to death, if you want all the details:

If you just want to stop having your logs flooded with all these pathetic attempts, the simplest method appears to be to change the port that SSH listens on. Once you do this, you will obviously have to change any firewall rules and inform everyone who legitimately connects to your server(s) what port, and possibly how to specify it, to connect to.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
All internal IP's are taken? kuplo Linux - Newbie 3 12-04-2005 07:29 PM
blocking source ip's using iptables ekkins Linux - Networking 5 06-20-2005 02:10 AM
IPTables - Multiple Public IP's to private IP's matneyc Linux - Security 8 05-27-2005 01:23 PM
More ip's ThePlague Linux - Networking 1 02-02-2002 05:19 PM
ip's Syphon Linux - Networking 1 01-18-2002 08:35 PM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:23 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration