-   Linux - Networking (
-   -   Blocking Ip's (

joanduan 03-09-2005 06:15 AM

Blocking Ip's
due to the massive amount of ssh failed logins at an average of 1200 attempts daily from different IPAddresses at my webserver, i would like to block access to those IPAddresses who have had say 5 unsuccesful attempts. I can block an IPAddress through Iptables but since the IPAddress of the attacker changes everyday so it is not block the IPAddress.

Can anyone suggest me a way to block an IPAddress from Logging, once it has had 5 UNSUCCESSFUL login attempts

Thanx in Advance

Donboy 03-09-2005 09:10 AM

You probably don't wanna hear this, but its better to disable SSH logins completely and your problems go away.

If you must have SSH logins enabled, setup public key authentication. This will help you sleep better at night, because the only way they are gonna login to your box is if they have the correct key on their system.

There is a tutorial for setting up public key access here..

If you're still not satisfied, you can pay a visit to your /etc/hosts.deny and /etc/hosts.allow files. Using the proper syntax for these files, you can deny everyone access to SSH and then selectively allow certain IPs to access your SSH daemon. This will help if you know the IPs of all your valid SSH users. However, if one of your users wants to login from another IP, this isn't gonna work. He will need to email you with the new IP address so you can add it to hosts.allow.

Food for thought.

joanduan 03-10-2005 03:51 AM

Well that doesn't kind of solve my problem. i am already using public keys, but SSH login are must otherwise i might've to set up FTP access which is more insecure. Its a webserver so obviously developers have to log in to update their work. Since more or less they use dynamic Ip's so can't list em in hosts.allow.

Any other suggestions

Darin 03-10-2005 04:54 AM

This thread in the Security forum has beat this horse to death, if you want all the details:

If you just want to stop having your logs flooded with all these pathetic attempts, the simplest method appears to be to change the port that SSH listens on. Once you do this, you will obviously have to change any firewall rules and inform everyone who legitimately connects to your server(s) what port, and possibly how to specify it, to connect to.

All times are GMT -5. The time now is 04:24 AM.