Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm using SuSE 10.0 with SuSE Firewall on my server machine.
Every day I get similar lines on my /var/log/messages:
Dec 19 13:27:48 server sshd[7161]: Invalid user rolo from 218.97.247.137
Dec 19 13:27:54 server sshd[7163]: Invalid user iceuser from 218.97.247.137
Dec 19 13:28:01 server sshd[7165]: Invalid user horde from 218.97.247.137
Dec 19 13:28:07 server sshd[7167]: Invalid user cyrus from 218.97.247.137
Dec 19 13:28:13 server sshd[7169]: Invalid user www from 218.97.247.137
Dec 19 13:28:28 server sshd[7173]: Invalid user matt from 218.97.247.137
Dec 19 13:28:35 server sshd[7175]: Invalid user test from 218.97.247.137
Dec 19 13:28:41 server sshd[7177]: Invalid user test from 218.97.247.137
Dec 19 13:28:47 server sshd[7179]: Invalid user test from 218.97.247.137
The following 2 commands will block incoming connections to ssh if the ip address the connections come from have given a failed password more than three times in the last 60 seconds:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP
Thank you for the exhaustive answers and for the interesting links.
Quote:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP
How do you translate this in a, let's say, SuSEFirewall config file?
I'm quite unexperienced in firewalling, and my iptables skills are below zero (that means, if I do anything I will surely do it in the wrong direction)...
Or you could change the port SSH listens to ... like to port 23
Take alot of script kiddies out of the game.
Same difference, SSH vs Telnet. I run my SSH server on a non-standard SSH port, 2222 is easy, and cuts down on the login attempts by a lot. People will still do port scans on you and such and identify it as a listening port, but that is just part of having a system connected to the Internet. Keep your system updated/patched and disable any unused accounts. Aside from that, and using good passwords, you should be good.
ONLY after you have hardened your ssh server (no root, only version 2, only certificates, chroot,...), if you want to hide even more ( against 0days for example), you can have a look here:
I've seen this a couple of years before, I know some secure companies use it.
As it is in french, I will quickly explain for the ones who don't read perl natively
It uses the port-knocking (marketing term) technique:
Your ssh server is not running
As soon as your machine receives a packet on a special port with a special sequence number with a special IPID number and speical source port number (2^32*2^16*2^16*2^16 combinations), then it starts the server on port 2222 (2^16 more) for only one session.
You connect to it
Only possible if you use a modified ssh client/server (perl script on the page)
Security by obscurity is a good layer when it is not the only one (harden ssh first)
I've been using http://www.dnsstuff.com/ for all my ip stuff. But even if you do happen do get a good reverse dns lookup most places make it extremely difficult to report abuse... *cough cough*sbc/pacbell*cough cough*
The parent posters IP address seems to result in an infinate loop.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.