Linux SSH

RE: Linux SSH

I have been receiving a fairly large number of SSH requests from unknown users that have been attempting various passwords unsuccessfully. Is it possible to restrict an ip address that has entered a password incorrectly 3/4 times on SSH? If so, could someone take me through it step by step? I’m running Fedora.

Who is Participating?
Not in stock OpenSSH. There are some add-on scripts that will examine the logs, keep track of failed login attempts, and then modify an iptables firewall to block the traffic. Of course, you need to have an iptables firewall. Or perhaps tcpwrappers.
i'm thinking of :
-it's unuseful to block this ip,cuz it's most probably dynamic and the intruder will change its ip as soont as he/she will reconnect;
-better solution is to make a good iptables firewall script;i can't point you the right one for your needs i can only give you several links:
iptables manual:
for a pesonal use you can check out his gui firewall::
perhaps better firewall solutions::
there are many web -engines stateing to offer an easy-to-make iptables firewall script;but i'll hesitate to give such suggestions...
another good option is to make some scans on your system for security leaks;use :chkrootkit,nessus,snort:
and try to determine what kind of services/processes are trying the whole time to access the internet from your pc,what is actually unusable - stop it;
know that every service ,which needs the root acl is a potential danger for your security ,regarding the internet access;
you can change also your passwords to something different after this issue:
no common words,min 8 letters+symbols+extra letters ,but do not use symbols like @ or €,cuz there are  still problems to find them on many keyboards;
try also to keep your system up-to-date;but note :
such kind of active scans(also over ssh) are really something common;so if you manage to make a reasonable iptables script ,then you'll be a OK.
Tracks recent connections and if connection attempts exceed 10 tries in 60 seconds from the same IP, it drops those packets.
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name sshbruteforce --rsource
iptables -A INPUT -m recent --rcheck --seconds 60 --hitcount 10 --name sshbruteforce --rsource -j DROP

DenyHosts is a script intended to be run by Linux system administrators to help thwart ssh server attack
or using PAM

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

What I usually do is I move SSH to a non-standard port, somewhere like 39283;).

Script kiddies typically scan networks for sshd listening on port 22 and they'll leave you alone. Never had anyone trying to brute-force my sshd after I did this.
Which is fine if you're the only one legitimately accessing it....
>> Which is fine if you're the only one legitimately accessing it....

Actually, I am not the only one. But whoever is legitimately accessing it (i.e. has shell username/pw) is also aware of the change;)
use unique (i.e. don't use the same one you use anywhere else) and strong passwords (or use key-based auth instead),

disable root login via ssh (you can always sudo or su to root after login if needed),

move ssh to a nonstandard, unused port, close port 22, (this alone will pretty much stop what you're seeing in the logs)

restrict ssh to only those users who actually need it.

if the legitimate users of ssh are coming in from known and stable ip's you can also restrict ssh access to only those ip's with firewall rules.
if you do want to actively block those attempting to brute force their way into your box, see

You can use a module called pam_abl
best practice, if possible is to only allow trusted IPs into SSH in the first place. This would be best done on your hardware firewall, but can also be done using the /etc/hosts.allow or /etc/hosts.deny file. I prefer to use hosts.deny as such

SSHD:  ALL EXCEPT   my.ip.address.allowed my.other.ip.allowed

Again only for complete my previus answer
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.