Murda Posted September 24, 2005 Report Share Posted September 24, 2005 (edited) Hi. I'm getting my Mandriva LE2005 SSH server hammered. Every day people come and try different usernames and passwords if they can get into my box. Is it possible to automatically ban these attackers IP's? Like this: I connect to my server (thru SSH). I try to login as user jack (i have no user jack in my box) and try 3 different passwords and the system throws me out. I connect again. I try to login as user john (no john in my box) and try 3 passwords and so on... At this point, my SSH server thinks that this is an attack, and will ban my IP. Is this possible? The computer with Mandriva LE2005 doesn't have a monitor, mouse or keyboard. It will be used only thru SSH. I'm not in a hurry with this one because they will not get into my box (as i have only 5 users there and system default users). Thanks. Edited September 25, 2005 by Murda Quote Link to comment Share on other sites More sharing options...
coverup Posted September 25, 2005 Report Share Posted September 25, 2005 by default, ssh daemon listens to port 22. You can change this setting to listen to some other port. You will also have to change settings on your firewall/router to enable connections to this port. Quote Link to comment Share on other sites More sharing options...
Murda Posted September 25, 2005 Author Report Share Posted September 25, 2005 by default, ssh daemon listens to port 22. You can change this setting to listen to some other port. You will also have to change settings on your firewall/router to enable connections to this port. <{POST_SNAPBACK}> Yea, i was thinking that too, but i just wanted to ask if there's another solution for this. Quote Link to comment Share on other sites More sharing options...
lynchmob Posted September 25, 2005 Report Share Posted September 25, 2005 Here is an article I read at linux.com that may help: http://www.linux.com/article.pl?sid=05/09/15/1655234 you may need to build the restricted access lists mentioned in the article. Hope that helps lynchmob Quote Link to comment Share on other sites More sharing options...
uralmasha Posted September 25, 2005 Report Share Posted September 25, 2005 Murda, This thread is about your problem (look at my last post there). Works great. After X attempts to log in within time period Y, the firewall ignores that IP for time Z (X, Y and Z to your taste). I set up that after 6 attempts in 1 minute the IP is blocked for 30 minutes. I never saw an attack return the same day. This, however, does not see difference between successfull or failed logins. It just has to be so-many-attempts from the same IP. Quote Link to comment Share on other sites More sharing options...
Murda Posted September 25, 2005 Author Report Share Posted September 25, 2005 Murda,This thread is about your problem (look at my last post there). Works great. After X attempts to log in within time period Y, the firewall ignores that IP for time Z (X, Y and Z to your taste). I set up that after 6 attempts in 1 minute the IP is blocked for 30 minutes. I never saw an attack return the same day. This, however, does not see difference between successfull or failed logins. It just has to be so-many-attempts from the same IP. <{POST_SNAPBACK}> Thanks, this solved my problem. I have no time to implement this to my shorewall yet, but maybe later. Thanks again. :) Quote Link to comment Share on other sites More sharing options...
jlc Posted October 6, 2005 Report Share Posted October 6, 2005 http://denyhosts.sourceforge.net/index.html I use denyhosts on my box that is connected to the net. DENY_THRESHOLD = 3 DENY_THRESHOLD_VALID = 5 DENY_THRESHOLD_ROOT = 1 Of course the ROOT doesn't really matter since I don't allow root to login externally anyway ;) You can also send a report to your email account like logwatch. Thats for us paranoid folks who like to look through logs in our gmail.... :unsure: Quote Link to comment Share on other sites More sharing options...
Murda Posted October 8, 2005 Author Report Share Posted October 8, 2005 Thanks, this is really a great app. I'm running it in daemon mode now. Just wondering why Mandriva hasn't put this yet to the installation media or even urpmi. Very useful app these days if you want to run a ssh server. Thanks again. Quote Link to comment Share on other sites More sharing options...
jlc Posted October 8, 2005 Report Share Posted October 8, 2005 Your welcome, It's in Fedora Extras, thats how I found out about it. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.