LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 02-08-2011, 02:03 PM   #1
dirtydog7655
Member
 
Registered: Jan 2011
Posts: 47

Rep: Reputation: 0
Question on IP Blocking


Ok so, buddy of mine has his ssh server setup and upon checking his logs he sees a ton of failed attempts.

Now obviously these are people that are scanning him and trying to brute force him.

So is there a way to block them? We know you can block each IP but is there a way to block ALL connections except for certain ones, such as his and mine? Maybe a couple others.

Thanks!
 
Old 02-08-2011, 02:07 PM   #2
jcalzare
Member
 
Registered: Aug 2009
Location: Chicago
Distribution: CentOS
Posts: 114

Rep: Reputation: 34
There are a few things you can do to help.

1. Move ssh to a non-standard port (anyting that isn't in use that isn't 22). This would be in /etc/ssh/sshd_config
2. Deny all access on that port, and allow access only to explicitly defined addresses. This can be accomplished via IP tables. CSF (configserver firewall) is a pretty nice frontend for IPtables if you don't want to learn all the syntax.
 
Old 02-08-2011, 02:08 PM   #3
dirtydog7655
Member
 
Registered: Jan 2011
Posts: 47

Original Poster
Rep: Reputation: 0
He uses UFW for a firewall
 
Old 02-08-2011, 03:07 PM   #4
jcalzare
Member
 
Registered: Aug 2009
Location: Chicago
Distribution: CentOS
Posts: 114

Rep: Reputation: 34
Ok... then follow the steps using UFW instead.
 
Old 02-08-2011, 04:54 PM   #5
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
Besides moving to another port I would suggest that you start using key-authentication for your ssh connections and maybe Port-Knocking.
 
Old 02-09-2011, 08:53 AM   #6
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,070

Rep: Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897
Quote:
Originally Posted by dirtydog7655 View Post
Ok so, buddy of mine has his ssh server setup and upon checking his logs he sees a ton of failed attempts.
You should regard this as normal. maybe, in an ideal world, it wouldn't happen, but in this world it does happen, so just be prepared for it.

Quote:
Originally Posted by dirtydog7655 View Post
Now obviously these are people that are scanning him and trying to brute force him.
...not quite so obvious, given that it could be brute force or it could be a dictionary attack, but you probably meant either...

Quote:
Originally Posted by dirtydog7655 View Post
So is there a way to block them? We know you can block each IP but is there a way to block ALL connections except for certain ones, such as his and mine? Maybe a couple others.
Look here for example, for a good overview of the advantages and disadvantages of different approaches that you could take.

In addition, you could look at things like denyhosts or fail2ban to help iptables to stop repeated attempts as soon as possible (on Linux, the firewall is iptables/netfilter, but there are a large number of 'easy' tools that you can use to aid in its configuration).

BTW, you have to remember that the problem is the risk of an attack succeeding; 'bad' entries in a log file is not a problem, per se (it is an early warning, providing someone looks through the log files and reacts, if appropriate), the risk of someone succeeding is the problem.
 
Old 02-11-2011, 10:31 AM   #7
wetech3
LQ Newbie
 
Registered: Feb 2011
Posts: 7

Rep: Reputation: 1
IP blocking

You are true, somebody trying to your server for unauthorized login attemots thats why you are getting the failure errors in your log file, and you cant secure your server with a single command. This is a continus and time consuming process.

In quick you can do some things,

Install APF and BFD in your machine and change the SSH port also block the unwanted port range in APF conf.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] blocking and non blocking TCP send/recv problem golden_boy615 Programming 5 12-27-2010 04:27 PM
blocking system calls - question return.c Programming 3 04-01-2008 12:57 PM
APF blocking tracerts question htmlcoder Linux - Security 2 03-06-2005 10:36 AM
Question about port blocking with Iptables GUIPenguin Linux - Networking 2 10-11-2004 07:25 PM
iptables PREROUTING and blocking question bakuretsu Linux - Security 3 09-12-2002 11:49 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 03:27 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration