Jump to content

My SSH Server getting hammered [solved]


Murda
 Share

Recommended Posts

Hi.

 

I'm getting my Mandriva LE2005 SSH server hammered. Every day people come and try different usernames and passwords if they can get into my box. Is it possible to automatically ban these attackers IP's? Like this:

 

I connect to my server (thru SSH).

I try to login as user jack (i have no user jack in my box) and try 3 different passwords and the system throws me out.

 

I connect again.

I try to login as user john (no john in my box) and try 3 passwords and so on...

 

At this point, my SSH server thinks that this is an attack, and will ban my IP.

 

Is this possible? The computer with Mandriva LE2005 doesn't have a monitor, mouse or keyboard. It will be used only thru SSH.

I'm not in a hurry with this one because they will not get into my box (as i have only 5 users there and system default users).

 

Thanks.

Edited by Murda
Link to comment
Share on other sites

Murda,

This thread is about your problem (look at my last post there). Works great.

 

After X attempts to log in within time period Y, the firewall ignores that IP for time Z (X, Y and Z to your taste). I set up that after 6 attempts in 1 minute the IP is blocked for 30 minutes. I never saw an attack return the same day.

 

This, however, does not see difference between successfull or failed logins. It just has to be so-many-attempts from the same IP.

Link to comment
Share on other sites

Murda,

This thread is about  your problem (look at my last post there). Works great.

 

After X attempts to log in within time period Y, the firewall ignores that IP for time Z (X, Y and  Z to your taste).  I set up that after 6 attempts in 1 minute the IP is blocked for 30 minutes. I never saw an attack return the same day.

 

This, however, does not see difference between successfull or failed logins. It just has to be so-many-attempts from the same IP.

 

Thanks, this solved my problem. I have no time to implement this to my shorewall yet, but maybe later.

Thanks again. :)

Link to comment
Share on other sites

  • 2 weeks later...

http://denyhosts.sourceforge.net/index.html

 

I use denyhosts on my box that is connected to the net.

 

DENY_THRESHOLD = 3
DENY_THRESHOLD_VALID = 5
DENY_THRESHOLD_ROOT = 1

 

Of course the ROOT doesn't really matter since I don't allow root to login externally anyway ;)

 

You can also send a report to your email account like logwatch. Thats for us paranoid folks who like to look through logs in our gmail....

 

:unsure:

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...