Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
06-16-2006, 12:16 AM
|
#1
|
Member
Registered: Oct 2003
Location: NH
Distribution: SUSE
Posts: 32
Rep:
|
Being attacked.
I have SUSE 10.0 and running sshd. When I look in messages I see...
Jun 15 11:36:09 linux01 sshd[9840]: Invalid user steve from 204.10.106.233
Jun 15 11:36:12 linux01 sshd[9842]: Invalid user steve from 204.10.106.233
Jun 15 11:36:14 linux01 sshd[9844]: Invalid user steve from 204.10.106.233
Jun 15 11:36:15 linux01 sshd[9846]: Invalid user shimada from 204.10.106.233
Jun 15 11:36:17 linux01 sshd[9848]: Invalid user shimada from 204.10.106.233
Jun 15 11:36:18 linux01 sshd[9850]: Invalid user shimada from 204.10.106.233
I'm up to date on my patches and use strick ID/PWs, but I cant seem to find the answer I'm looking for.
On SUSE 10, How do I set up my FW rules so a user from ip address X can only attempt x number of login attempts and then my system negelects to respond with logins for x mins?
Simple example would be: I fail to login on three attempts... my next login attempt wont be accepted till say 10mins later.
|
|
|
06-16-2006, 12:25 AM
|
#2
|
Member
Registered: Oct 2005
Location: Australia
Distribution: slackware 12.1
Posts: 753
Rep:
|
is your machine accessible through ssh from everywhere (0/0)? In my practice I have never done it. I just open very-very specific IPs in my FW for ssh access. That way, FW would reject any ssh attempts from unknown IPs. Yes you need static IPs for that and you might as well get it if you don't have it already. Also you might want to change your ssh port no to something less known than the default 22. Yes somebody could still find the port no being used and also fake the IP but the process is harder and will consume time. If you are the only one using the Ssh access make sure you change the port no occassionly. For eg. I acccess my work network from my home and I have a static IP at home and in my firewall, i have just opened up access for that IP. Your situation could ofcourse be different.
|
|
|
06-16-2006, 12:34 AM
|
#3
|
Member
Registered: Oct 2003
Location: NH
Distribution: SUSE
Posts: 32
Original Poster
Rep:
|
I use a dynamic dns servics and route via name... but yes local on my network it is static IP and yes I'm the only one ssh'ing.
I'd rather not restrict by IP as I some times connect from relatives PCs and they all have dynamic IPs as well as different ISPs.
I've seen how to do it in RH, but from what I can tell SUSE appears to be different type of cfg.
Last edited by WRXSTi; 06-16-2006 at 12:35 AM.
|
|
|
06-16-2006, 12:35 AM
|
#4
|
Member
Registered: Aug 2005
Location: Midland, TX
Distribution: Ubuntu
Posts: 125
Rep:
|
|
|
|
06-16-2006, 12:54 AM
|
#5
|
Member
Registered: Oct 2005
Location: Australia
Distribution: slackware 12.1
Posts: 753
Rep:
|
Quote:
Originally Posted by WRXSTi
I'd rather not restrict by IP as I some times connect from relatives PCs and they all have dynamic IPs as well as different ISPs
|
.
Yes i know, I too have faced those kind of problems. So in the end, it all boils down to security Vs. convinience issue.
|
|
|
06-16-2006, 12:55 AM
|
#6
|
Member
Registered: Oct 2005
Location: Australia
Distribution: slackware 12.1
Posts: 753
Rep:
|
maybe instead of using password, you can use ssh-keys or both.
|
|
|
06-16-2006, 08:28 AM
|
#7
|
Member
Registered: Aug 2005
Location: Midland, TX
Distribution: Ubuntu
Posts: 125
Rep:
|
I have clients running Linux servers on DSL/Cable connections that run no-ip.com for dynamic addresses. I never use port 22 on them and I use ssh-keys only to remote access them. Port 22 gets scanned constantly but other port numbers are usually ignored.
|
|
|
06-16-2006, 08:28 AM
|
#8
|
Member
Registered: Mar 2006
Distribution: BackTrack, RHEL, FC, CentOS, IPCop, Ubuntu, 64Studio, Elive, Dream Linux, Trix Box
Posts: 310
Rep:
|
hello WRXSTi,
Why don't you have a look at this thread in the same forum
Hope, this will help you
|
|
|
06-16-2006, 08:56 AM
|
#9
|
Member
Registered: Mar 2006
Distribution: BackTrack, RHEL, FC, CentOS, IPCop, Ubuntu, 64Studio, Elive, Dream Linux, Trix Box
Posts: 310
Rep:
|
Hi,
As an instant measure change your password to something long and complicated
|
|
|
06-18-2006, 07:31 AM
|
#10
|
Member
Registered: Jul 2004
Location: Manchester, England
Distribution: Gentoo
Posts: 211
Rep:
|
You should also e-mail abuse@acceleratebiz.com, attaching the logs, so they can punish the person trying to break in to your computer.
|
|
|
06-18-2006, 07:41 AM
|
#11
|
Member
Registered: Oct 2005
Location: Australia
Distribution: slackware 12.1
Posts: 753
Rep:
|
the ssh-key seems to best for the purpose. I am going to try it. I get the feeling, it would be annoying carrying the key in a pendrive everywhere i go, nevertheless i will try.
|
|
|
06-18-2006, 09:48 AM
|
#12
|
Senior Member
Registered: Nov 2004
Distribution: Mint, MX, antiX, SystemRescue
Posts: 2,337
|
Quote:
Originally Posted by WRXSTi
Simple example would be: I fail to login on three attempts... my next login attempt wont be accepted till say 10mins later.
|
See what I do to handle this in post #20 and post #22 in the thread below. These two posts went a bit off-topic on that thread, but they illustrate a program I use to ban IP addresses after three failed attempts. http://www.linuxquestions.org/questi...d.php?t=454306
|
|
|
All times are GMT -5. The time now is 09:16 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|