LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 05-03-2005, 08:57 PM   #1
DaWallace
Member
 
Registered: Feb 2004
Location: Southern Maine, United States
Distribution: Slackware Ubuntu Debian FreeBSD
Posts: 418

Rep: Reputation: 31
deny ip address with ssh


okay... so.. small problem with some person or persons unknown trying to crack my servery thing's accounts through ssh, luckily I caught it quickly as instead of a login running on virtual console 1 I have a tail of /var/log/messages. so I noticed rather quickly.

May 3 08:23:35 [My Hostname] sshd[1854]: Failed password for invalid user data from xxx.xxx.xxx.xxx port 41004 ssh2
May 3 08:23:37 [My Hostname] sshd[1856]: Failed password for invalid user user from xxx.xxx.xxx.xxx port 41042 ssh2
May 3 08:23:40 [My Hostname] sshd[1858]: Failed password for invalid user user from xxx.xxx.xxx.xxx port 41082 ssh2
May 3 08:23:43 [My Hostname] sshd[1860]: Failed password for invalid user user from xxx.xxx.xxx.xxx port 41113 ssh2
May 3 08:23:45 [My Hostname] sshd[1862]: Failed password for invalid user web from xxx.xxx.xxx.xxx port 41158 ssh2
May 3 08:23:47 [My Hostname] sshd[1864]: Failed password for invalid user web from xxx.xxx.xxx.xxx port 41189 ssh2
May 3 08:23:50 [My Hostname] sshd[1866]: Failed password for invalid user oracle from xxx.xxx.xxx.xxx port 41222 ssh2
May 3 08:23:52 [My Hostname] sshd[1868]: Failed password for invalid user sybase from xxx.xxx.xxx.xxx port 41252 ssh2
May 3 08:23:55 [My Hostname] sshd[1870]: Failed password for invalid user master from xxx.xxx.xxx.xxx port 41286 ssh2
May 3 08:23:57 [My Hostname] sshd[1872]: Failed password for invalid user account from xxx.xxx.xxx.xxx port 41322 ssh2
May 3 08:24:00 [My Hostname] sshd[1874]: Failed password for invalid user backup from xxx.xxx.xxx.xxx port 41355 ssh2
May 3 08:24:02 [My Hostname] sshd[1876]: Failed password for invalid user server from xxx.xxx.xxx.xxx port 41388 ssh2
May 3 08:24:05 [My Hostname] sshd[1878]: Failed password for invalid user adam from xxx.xxx.xxx.xxx port 41421 ssh2
May 3 08:24:08 [My Hostname] sshd[1880]: Failed password for invalid user alan from xxx.xxx.xxx.xxx port 41459 ssh2
May 3 08:24:10 [My Hostname] sshd[1882]: Failed password for invalid user frank from xxx.xxx.xxx.xxx port 41488 ssh2
May 3 08:24:12 [My Hostname] sshd[1884]: Failed password for invalid user george from xxx.xxx.xxx.xxx port 41519 ssh2
May 3 08:24:16 [My Hostname] sshd[1886]: Failed password for invalid user henry from xxx.xxx.xxx.xxx port 41552 ssh2
May 3 08:24:18 [My Hostname] sshd[1888]: Failed password for invalid user john from xxx.xxx.xxx.xxx port 41597 ssh2

so.. I wish to block that ip address. but as far as I know, ssh doesn't use the wrappers and thus won't respect hosts.deny. how do I do this?
 
Old 05-03-2005, 09:08 PM   #2
buaku
Member
 
Registered: Sep 2004
Distribution: Slackware 10.2 (2.4.31)
Posts: 119

Rep: Reputation: 15
You could probably use ipchains to deny that IP.
Should be quite a few threads around here about ipchains n stuff like that.
 
Old 05-04-2005, 01:55 AM   #4
shilo
Senior Member
 
Registered: Nov 2002
Location: Stockton, CA
Distribution: Slackware 11 - kernel 2.6.19.1 - Dropline Gnome 2.16.2
Posts: 1,132

Rep: Reputation: 50
DaWallace, you're too nice. Why x out the IP address of someone trying to hack your box?

After using iptables to block the IP address, you might want to use whois to find out who owns the IP address and send a copy of your log to abuse@whatever_domian_whois_returns.

Firestarter is a nice iptables frontend. You can see all the active connections and simply block the IP address with one click instead of updating your firewall rules manually.
 
Old 05-04-2005, 02:31 AM   #5
LiNuCe
Member
 
Registered: Apr 2004
Location: France
Distribution: Slackware Linux 10.2
Posts: 119

Rep: Reputation: 15
Re: deny ip address with ssh

Quote:
Originally posted by DaWallace
so.. I wish to block that ip address. but as far as I know, ssh doesn't use the wrappers and thus won't respect hosts.deny. how do I do this?
The OpenSSH daemon as provided with Linux Slackware 10.1 does allow you to use TCP wrappers to allow/deny SSH connections. You can verify this by looking at the FILES section of the sshd man page. However, it is better to have good iptables rules :)

--
LiNuCe
 
Old 05-04-2005, 02:59 PM   #6
DaWallace
Member
 
Registered: Feb 2004
Location: Southern Maine, United States
Distribution: Slackware Ubuntu Debian FreeBSD
Posts: 418

Original Poster
Rep: Reputation: 31
Quote:
Originally posted by shilo
DaWallace, you're too nice. Why x out the IP address of someone trying to hack your box?

I was wondering that while I did it... not really sure why I did it.. oh well..

and the reason I didn't block it through the firewall is that iptables is pretty much the only thing linux related that I've made several attempts at figuring out bust still didn't suceed..

more reading for me I guess..


and.. just for reference.. I couldn't find a case the day I built the thing so.... it isn't a box.. it's actually a wooden board with standoffs in it.. and all other components screwed to the opposite side and grounded with copper wire to the power supply.. for the sake of cooling I'm thinking of building a case around it out of legos.. I'd put it in a proper case but it looks much too cool now for that.

Last edited by DaWallace; 05-04-2005 at 03:11 PM.
 
Old 05-04-2005, 03:09 PM   #7
shilo
Senior Member
 
Registered: Nov 2002
Location: Stockton, CA
Distribution: Slackware 11 - kernel 2.6.19.1 - Dropline Gnome 2.16.2
Posts: 1,132

Rep: Reputation: 50
Quote:
Originally posted by DaWallace
the reason I didn't block it through the firewall is that iptables is pretty much the only thing linux related that I've made several attempts at figuring out bust still didn't suceed...
Same here. When it comes to firewalls, I am still a point-and-click newbie. That's why I use Firestarter. It's just a graphical frontend that is really easy to use.

You can also use Firestarter to build your rules, then study them to see how to do it manually.

The docs on their website are really good, too. I used them to re-compile my kernel and build Firestarter from source.
 
Old 05-04-2005, 03:14 PM   #8
DaWallace
Member
 
Registered: Feb 2004
Location: Southern Maine, United States
Distribution: Slackware Ubuntu Debian FreeBSD
Posts: 418

Original Poster
Rep: Reputation: 31
I'm afraid there is no X windows on this thing. so I don't really have that option.
 
Old 05-04-2005, 03:21 PM   #9
mdarby
Member
 
Registered: Nov 2004
Location: Columbus, Ohio
Distribution: Slackware-Current / Debian
Posts: 795

Rep: Reputation: 30
Have you modified your ssh setup to not allow root logins? It would be wise; as would be ensuring that you use *random* passwords that are 8+ characters.
 
Old 05-04-2005, 03:33 PM   #10
DaWallace
Member
 
Registered: Feb 2004
Location: Southern Maine, United States
Distribution: Slackware Ubuntu Debian FreeBSD
Posts: 418

Original Poster
Rep: Reputation: 31
root login is only allowed on the local network and several ranges that I trust. my root password is the most amazingly complicated thing I've ever created, pattern based, no dictionary words and quite long. I have no worries there.
 
Old 05-04-2005, 03:52 PM   #11
mdarby
Member
 
Registered: Nov 2004
Location: Columbus, Ohio
Distribution: Slackware-Current / Debian
Posts: 795

Rep: Reputation: 30


Very nice to hear about a responsible admin.
Why worry about blocking this ip then? Annonyance?
 
Old 05-04-2005, 05:38 PM   #12
keefaz
LQ Guru
 
Registered: Mar 2004
Distribution: Slackware
Posts: 6,230

Rep: Reputation: 724Reputation: 724Reputation: 724Reputation: 724Reputation: 724Reputation: 724Reputation: 724
just add
Code:
 iptables -A INPUT -s XXX.XXX.XXX.XXX -j DROP
somewhere in init script or type it directly at command line
that should block the XXX.XXX.XXX.XXX IP
 
Old 05-04-2005, 07:45 PM   #13
IRIGHTI
Member
 
Registered: Oct 2003
Distribution: Slackware64 13.1 x86_64, Ubuntu 10.04 x86_64
Posts: 121

Rep: Reputation: 15
I get alot of those guys. I got so annoyed with it I built a script to parse my log every 1 minand automatically block the ip. Yeah, its overkill and yeah I could really screw myself (only a couple of times) but oh well. I put a line in my rc.firewall script before all other rules to start a seperate file with all the bad people and I just add to the bad ip list.

Here is my horrible, horrible, horrible code for anyone interested:

Code:
#!/bin/sh

cd /etc

if [ -f badips.log ] ; then
  rm badips.log
fi

getips () {

i=0
while [ $i -le 4 ]
do
  
  if [ "$i" == "0" ] ; then
    per=
  else
    per=.
  fi
  if [ "$i" == "0" ] ; then
    i=
  fi
  if [ -f /var/log/auth.log$per$i ] ; then
    cat /var/log/auth.log$per$i | grep ssh | grep Invalid | cut -f$f -d' ' | grep ffff | cut -f4 -d':' >> badips.log
  fi
  if [ "$i" == "" ] ; then
    i=0
  fi
  i=$(($i + 1))

done

}

#Set searching parameters begin

f=10
getips
#f=14
#getips

#Set searching parameters end

end=`wc -l badips.log | cut -f1 -d' '`

j=1
while [ "$j" -le "$end" ] 
do

  bad=`tail -n $j badips.log | head -n 1` 
  fire=`grep $bad /etc/init.d/rc.firewall.badips`
  if [ "$fire" == "" ] ; then
    echo "iptables -A INPUT -s $bad -j DROP #ssh hacker `date`" >> /etc/init.d/rc.firewall.badips
  fi
  j=$(($j + 1))
 
done

rm badips.log
/etc/init.d/rc.firewall

Last edited by IRIGHTI; 05-04-2005 at 07:47 PM.
 
Old 05-08-2005, 11:53 PM   #14
gbonvehi
Senior Member
 
Registered: Jun 2004
Location: Argentina (SR, LP)
Distribution: Slackware
Posts: 3,145

Rep: Reputation: 51
You may want to try this: http://freshmeat.net/projects/blockh...ease_id=195611

By the way, IRIGHTI that script won't work as it is (just need to change the directory init.d) in a default Slackware install since Slackware doesn't use SysV init scripts as default so init.d doesn't exist.
 
Old 05-09-2005, 12:15 AM   #15
WMD
Member
 
Registered: Jul 2004
Location: Florida
Distribution: Slackware, Debian
Posts: 484

Rep: Reputation: 30
For the sake of interesting data, that's not a person doing the hacking. It's an automated bot, maybe a rooted machine. Those have been around for years.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh: deny all users, except one hamish Linux - Security 13 09-07-2008 07:58 PM
how to deny ssh for ip range? maginotjr Slackware 11 11-01-2005 07:01 AM
Can I deny access based on mac or IP address with shorewall? enigma_0Z Linux - Networking 1 06-02-2005 04:15 PM
Deny FTP by IP address with ipchains loiter99 Linux - Security 3 05-27-2004 01:54 PM
Deny access by IP address plisken Linux - Security 1 12-29-2001 10:11 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 06:15 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration