LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   How to secure Server (https://www.linuxquestions.org/questions/linux-security-4/how-to-secure-server-450806/)

irfanhab 06-02-2006 03:10 AM
How to secure Server
 
I've got a server, it runs various services including ssh, now everyday someone frmo some IP tries to login in repeatedly by trying different passwords
like this from yesterday
Code:
Jun  1 20:44:07 cern2-222 sshd[8059]: Invalid user fulmali from 125.249.164.105
Jun  1 20:44:07 cern2-222 sshd[8059]: Failed password for invalid user fulmali from 125.249.164.105 port 55332 ssh2
Jun  1 20:44:14 cern2-222 sshd[8061]: Invalid user fulmali from 125.249.164.105
Jun  1 20:44:14 cern2-222 sshd[8061]: Failed password for invalid user fulmali from 125.249.164.105 port 55501 ssh2
Jun  1 20:44:21 cern2-222 sshd[8063]: Invalid user fulmali1 from 125.249.164.105
Jun  1 20:44:21 cern2-222 sshd[8063]: Failed password for invalid user fulmali1 from 125.249.164.105 port 55687 ssh2
Jun  1 20:44:27 cern2-222 sshd[8065]: Invalid user ghussain from 125.249.164.105
Jun  1 20:44:27 cern2-222 sshd[8065]: Failed password for invalid user ghussain from 125.249.164.105 port 55881 ssh2
Jun  1 20:44:33 cern2-222 sshd[8067]: Invalid user ghussain from 125.249.164.105
Jun  1 20:44:33 cern2-222 sshd[8067]: Failed password for invalid user ghussain from 125.249.164.105 port 56058 ssh2
Jun  1 20:44:40 cern2-222 sshd[8069]: Invalid user ghussain from 125.249.164.105
Jun  1 20:44:40 cern2-222 sshd[8069]: Failed password for invalid user ghussain from 125.249.164.105 port 56230 ssh2
Jun  1 20:44:47 cern2-222 sshd[8071]: Invalid user ghussain1 from 125.249.164.105
Jun  1 20:44:47 cern2-222 sshd[8071]: Failed password for invalid user ghussain1 from 125.249.164.105 port 56421 ssh2
Jun  1 20:44:52 cern2-222 sshd[8073]: Invalid user ghussain from 125.249.164.105
Jun  1 20:44:52 cern2-222 sshd[8073]: Failed password for invalid user ghussain from 125.249.164.105 port 56591 ssh2
Jun  1 20:44:58 cern2-222 sshd[8075]: Invalid user ghussain from 125.249.164.105
Jun  1 20:44:58 cern2-222 sshd[8075]: Failed password for invalid user ghussain from 125.249.164.105 port 56743 ssh2
So how can I secure my server from these people, of course I could use IPtables, but there are two problems with it:
I cant possibly know from which IP an attack will occurr, thus I cant block specific IPs, and if I block a range, then I could be disallowing legitimate logins.

so how do I setup the server up to allow the "good" guys in and keep the bad guys out :)

huanvnn 06-02-2006 03:15 AM
the problem can solve if you put your sshd server listen with internal address(not the address connected to isp).you can see more in my post in subforum linux security

unSpawn 06-02-2006 03:31 AM
@huanvnn: the problem can solve if you put your sshd server listen with internal address(not the address connected to isp)
I'm sorry, but that advice IMHO doesn't cut it in most situations. Please read the sticky threads in this forum if you want to give useful advice supported by more people than one. Thanks.


@irfanhab: See the Failed SSH login attempts thread for working solutions.


All times are GMT -5. The time now is 01:01 PM.