LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-16-2006, 12:16 AM   #1
WRXSTi
Member
 
Registered: Oct 2003
Location: NH
Distribution: SUSE
Posts: 32

Rep: Reputation: 15
Being attacked.


I have SUSE 10.0 and running sshd. When I look in messages I see...

Jun 15 11:36:09 linux01 sshd[9840]: Invalid user steve from 204.10.106.233
Jun 15 11:36:12 linux01 sshd[9842]: Invalid user steve from 204.10.106.233
Jun 15 11:36:14 linux01 sshd[9844]: Invalid user steve from 204.10.106.233
Jun 15 11:36:15 linux01 sshd[9846]: Invalid user shimada from 204.10.106.233
Jun 15 11:36:17 linux01 sshd[9848]: Invalid user shimada from 204.10.106.233
Jun 15 11:36:18 linux01 sshd[9850]: Invalid user shimada from 204.10.106.233

I'm up to date on my patches and use strick ID/PWs, but I cant seem to find the answer I'm looking for.

On SUSE 10, How do I set up my FW rules so a user from ip address X can only attempt x number of login attempts and then my system negelects to respond with logins for x mins?

Simple example would be: I fail to login on three attempts... my next login attempt wont be accepted till say 10mins later.
 
Old 06-16-2006, 12:25 AM   #2
prozac
Member
 
Registered: Oct 2005
Location: Australia
Distribution: slackware 12.1
Posts: 753

Rep: Reputation: 32
is your machine accessible through ssh from everywhere (0/0)? In my practice I have never done it. I just open very-very specific IPs in my FW for ssh access. That way, FW would reject any ssh attempts from unknown IPs. Yes you need static IPs for that and you might as well get it if you don't have it already. Also you might want to change your ssh port no to something less known than the default 22. Yes somebody could still find the port no being used and also fake the IP but the process is harder and will consume time. If you are the only one using the Ssh access make sure you change the port no occassionly. For eg. I acccess my work network from my home and I have a static IP at home and in my firewall, i have just opened up access for that IP. Your situation could ofcourse be different.
 
Old 06-16-2006, 12:34 AM   #3
WRXSTi
Member
 
Registered: Oct 2003
Location: NH
Distribution: SUSE
Posts: 32

Original Poster
Rep: Reputation: 15
I use a dynamic dns servics and route via name... but yes local on my network it is static IP and yes I'm the only one ssh'ing.

I'd rather not restrict by IP as I some times connect from relatives PCs and they all have dynamic IPs as well as different ISPs.

I've seen how to do it in RH, but from what I can tell SUSE appears to be different type of cfg.

Last edited by WRXSTi; 06-16-2006 at 12:35 AM.
 
Old 06-16-2006, 12:35 AM   #4
nlinecomputers
Member
 
Registered: Aug 2005
Location: Midland, TX
Distribution: Ubuntu
Posts: 125

Rep: Reputation: 15
Have a look at this:

http://linsec.ca/syshardening/openssh.php
 
Old 06-16-2006, 12:54 AM   #5
prozac
Member
 
Registered: Oct 2005
Location: Australia
Distribution: slackware 12.1
Posts: 753

Rep: Reputation: 32
Quote:
Originally Posted by WRXSTi
I'd rather not restrict by IP as I some times connect from relatives PCs and they all have dynamic IPs as well as different ISPs
.

Yes i know, I too have faced those kind of problems. So in the end, it all boils down to security Vs. convinience issue.
 
Old 06-16-2006, 12:55 AM   #6
prozac
Member
 
Registered: Oct 2005
Location: Australia
Distribution: slackware 12.1
Posts: 753

Rep: Reputation: 32
maybe instead of using password, you can use ssh-keys or both.
 
Old 06-16-2006, 08:28 AM   #7
nlinecomputers
Member
 
Registered: Aug 2005
Location: Midland, TX
Distribution: Ubuntu
Posts: 125

Rep: Reputation: 15
I have clients running Linux servers on DSL/Cable connections that run no-ip.com for dynamic addresses. I never use port 22 on them and I use ssh-keys only to remote access them. Port 22 gets scanned constantly but other port numbers are usually ignored.
 
Old 06-16-2006, 08:28 AM   #8
imagineers7
Member
 
Registered: Mar 2006
Distribution: BackTrack, RHEL, FC, CentOS, IPCop, Ubuntu, 64Studio, Elive, Dream Linux, Trix Box
Posts: 310

Rep: Reputation: 30
hello WRXSTi,

Why don't you have a look at this thread in the same forum

Hope, this will help you
 
Old 06-16-2006, 08:56 AM   #9
imagineers7
Member
 
Registered: Mar 2006
Distribution: BackTrack, RHEL, FC, CentOS, IPCop, Ubuntu, 64Studio, Elive, Dream Linux, Trix Box
Posts: 310

Rep: Reputation: 30
Hi,

As an instant measure change your password to something long and complicated
 
Old 06-18-2006, 07:31 AM   #10
UK MAdMaN
Member
 
Registered: Jul 2004
Location: Manchester, England
Distribution: Gentoo
Posts: 211

Rep: Reputation: 30
You should also e-mail abuse@acceleratebiz.com, attaching the logs, so they can punish the person trying to break in to your computer.
 
Old 06-18-2006, 07:41 AM   #11
prozac
Member
 
Registered: Oct 2005
Location: Australia
Distribution: slackware 12.1
Posts: 753

Rep: Reputation: 32
the ssh-key seems to best for the purpose. I am going to try it. I get the feeling, it would be annoying carrying the key in a pendrive everywhere i go, nevertheless i will try.
 
Old 06-18-2006, 09:48 AM   #12
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Mint, MX, antiX, SystemRescue
Posts: 2,337

Rep: Reputation: 358Reputation: 358Reputation: 358Reputation: 358
Quote:
Originally Posted by WRXSTi
Simple example would be: I fail to login on three attempts... my next login attempt wont be accepted till say 10mins later.
See what I do to handle this in post #20 and post #22 in the thread below. These two posts went a bit off-topic on that thread, but they illustrate a program I use to ban IP addresses after three failed attempts. http://www.linuxquestions.org/questi...d.php?t=454306
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Got attacked or I don't know what... What should I do? frzburn Linux - Security 8 03-16-2006 12:15 AM
I think I've been attacked! smacky Linux - Security 7 10-21-2003 03:39 AM
Have I been attacked? tangle Linux - Security 6 08-03-2003 09:33 PM
Help. Attacked by a Python jarin scott Programming 4 06-22-2003 12:07 PM
Being Attacked? andy18 Linux - Security 1 05-11-2003 12:09 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:16 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration