Jump to content

My SSH Server getting hammered [solved]

Murda

By Murda
in Security

 Share

Recommended Posts

Murda frequent

Murda

Posted
Posted (edited)

Hi.

 

I'm getting my Mandriva LE2005 SSH server hammered. Every day people come and try different usernames and passwords if they can get into my box. Is it possible to automatically ban these attackers IP's? Like this:

 

I connect to my server (thru SSH).

I try to login as user jack (i have no user jack in my box) and try 3 different passwords and the system throws me out.

 

I connect again.

I try to login as user john (no john in my box) and try 3 passwords and so on...

 

At this point, my SSH server thinks that this is an attack, and will ban my IP.

 

Is this possible? The computer with Mandriva LE2005 doesn't have a monitor, mouse or keyboard. It will be used only thru SSH.

I'm not in a hurry with this one because they will not get into my box (as i have only 5 users there and system default users).

 

Thanks.

Edited by Murda
Link to comment
Share on other sites
Murda frequent

Murda

Posted
  • Author
Posted
by default, ssh daemon listens to port 22.  You can change this  setting to listen to some other port. You will also have to change settings on your firewall/router to enable connections to this port.

 

Yea, i was thinking that too, but i just wanted to ask if there's another solution for this.

Link to comment
Share on other sites
uralmasha frequent

uralmasha

Posted
Posted

Murda,

This thread is about your problem (look at my last post there). Works great.

 

After X attempts to log in within time period Y, the firewall ignores that IP for time Z (X, Y and Z to your taste). I set up that after 6 attempts in 1 minute the IP is blocked for 30 minutes. I never saw an attack return the same day.

 

This, however, does not see difference between successfull or failed logins. It just has to be so-many-attempts from the same IP.

Link to comment
Share on other sites
Murda frequent

Murda

Posted
  • Author
Posted
Murda,

This thread is about  your problem (look at my last post there). Works great.

 

After X attempts to log in within time period Y, the firewall ignores that IP for time Z (X, Y and  Z to your taste).  I set up that after 6 attempts in 1 minute the IP is blocked for 30 minutes. I never saw an attack return the same day.

 

This, however, does not see difference between successfull or failed logins. It just has to be so-many-attempts from the same IP.

 

Thanks, this solved my problem. I have no time to implement this to my shorewall yet, but maybe later.

Thanks again. :)

Link to comment
Share on other sites
  • 2 weeks later...
jlc Mandriva Guru

jlc

Posted
Posted

http://denyhosts.sourceforge.net/index.html

 

I use denyhosts on my box that is connected to the net.

 

DENY_THRESHOLD = 3
DENY_THRESHOLD_VALID = 5
DENY_THRESHOLD_ROOT = 1

 

Of course the ROOT doesn't really matter since I don't allow root to login externally anyway ;)

 

You can also send a report to your email account like logwatch. Thats for us paranoid folks who like to look through logs in our gmail....

 

:unsure:

Link to comment
Share on other sites
Murda frequent

Murda

Posted
  • Author
Posted

Thanks, this is really a great app. :banana:

I'm running it in daemon mode now.

Just wondering why Mandriva hasn't put this yet to the installation media or even urpmi. Very useful app these days if you want to run a ssh server.

Thanks again. :thumbs:

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...