illegal ssh login attempt killing me

ridwan77 · 05-24-2006, 09:44 AM

hello there!

I'm new in linux.

I'm using slackware 8.0 for my mail server. for the last few months i'm facing huge illegal ssh login attempt in my server. I can't stop the ssh service cause i need it. but i want to allow some specific IPs only from where the ssh login can be done. from all other IP ssh will be denied. how to do it? can anyone please help me out?

zaichik · 05-24-2006, 09:56 AM

You could move your SSH port to something other than 22, for starters. In your sshd config file (on my systems it's /etc/ssh/sshd_config) you will want these entries:

Code:

Port 8945 # or something beside 22
Protocol 2

To allow logins only from specific IPs, you can add this to sshd_config:

Code:

AllowUsers *@1.2.3.4

That will only allow SSH logins from any user from IP address 1.2.3.4.

You can lock it down even tighter by disallowing direct root logins, and specifying a user in the line above. For example, create a user "ridwan77", add them to the group wheel, and include this in your sshd_config file:

Code:

AllowUsers ridwan77@1.2.3.4

PermitRootLogin no

In this case, only ridwan77 will be allowed to login, and then only from IP address 1.2.3.4. You can include netblocks in the AllowUser with

Code:

AllowUsers ridwan77@1.2.3.*

You will have to restart sshd to make any changes effective. Restarting sshd will not kill your current session.

unixfool · 05-24-2006, 10:21 AM

Since you're new to Linux and are using an older version of Slackware, you might want to upgrade your SSH package (if you haven't already).

ridwan77 · 05-27-2006, 12:53 AM

Dear zaichik,

Thanks for your quick reply.
You said "For example, create a user "ridwan77", add them to the group wheel, and include this in your sshd_config file" .... I'm confused about adding to the group wheel. how to do that please describe

-Ridwan

gabsik · 05-27-2006, 12:58 AM

Read this ...

Quote:

http://non-gnu.uvt.nl/pub/uvt-unix-doc/ssh-harden.txt

ridwan77 · 05-27-2006, 07:18 AM

hello zaichik,

I have added the following lines in my /etc/ssh/sshd_config file:

AllowUsers ridwan77@192.168.222.*
PermitRootLogin no

and then i killed the sshd daemon and start it again. but i can't login and the log is showing the following messages:

May 27 18:07:01 mail sshd[612]: input_userauth_request: illegal user ridwan77
May 27 18:07:01 mail sshd[612]: Failed none for illegal user ridwan77 from 192.1
68.222.10 port 2232 ssh2
May 27 18:07:01 mail sshd[612]: Failed keyboard-interactive for illegal user rid
wan77 from 192.168.222.10 port 2232 ssh2
May 27 18:07:09 mail sshd[612]: Failed password for illegal user ridwan77 from 1
92.168.222.10 port 2232 ssh2

would u please tell me what to do now ?

- Ridwan

zaichik · 05-27-2006, 11:00 AM

Did you add the Unix user ridwan77?

Code:

useradd ridwan77
passwd ridwan77

and then enter a good, secure password for the user (at least 10 characters, combination of upper- and lower-case letters, numerals, and special characters).

Don't forget to add the user to wheel. Edit /etc/group, and the line that says something like (probably)

Code:

wheel:x:10:root

change to

Code:

wheel:x:10:root,ridwan77

No spaces on either side of that comma there.

joseph · 05-28-2006, 08:22 PM

Why not using an iptables to prevent it ???

ridwan77 · 05-30-2006, 02:20 AM

hi zaichik,

At last it worked. Thanks for your assistance

Ridwan

juanbobo · 05-30-2006, 03:27 AM

Since you don't always know the IPs of the machines you'll be using to log in to your server, I think using iptables to limit connection attempts is a better solution, it's not very difficult. Here is a link explaining how:

http://www.tummy.com/journals/entrie...0050724_172920