[Last Call] Learn how to a build a cloud-first strategyRegister Now


Linux SSH

Posted on 2006-05-14
Medium Priority
Last Modified: 2008-02-26
RE: Linux SSH

I have been receiving a fairly large number of SSH requests from unknown users that have been attempting various passwords unsuccessfully. Is it possible to restrict an ip address that has entered a password incorrectly 3/4 times on SSH? If so, could someone take me through it step by step? I’m running Fedora.

Question by:the_omnific
  • 2
  • 2
  • 2
  • +4
LVL 34

Accepted Solution

PsiCop earned 160 total points
ID: 16677598
Not in stock OpenSSH. There are some add-on scripts that will examine the logs, keep track of failed login attempts, and then modify an iptables firewall to block the traffic. Of course, you need to have an iptables firewall. Or perhaps tcpwrappers.
LVL 11

Assisted Solution

mwnnj earned 140 total points
ID: 16677600
i'm thinking of :
-it's unuseful to block this ip,cuz it's most probably dynamic and the intruder will change its ip as soont as he/she will reconnect;
-better solution is to make a good iptables firewall script;i can't point you the right one for your needs i can only give you several links:
iptables manual: http://iptables-tutorial.frozentux.net/iptables-tutorial.html
for a pesonal use you can check out his gui firewall::
firestarter: http://www.fs-security.com/
perhaps better firewall solutions::
shorewall: http://www.shorewall.net/
there are many web -engines stateing to offer an easy-to-make iptables firewall script;but i'll hesitate to give such suggestions...
another good option is to make some scans on your system for security leaks;use :chkrootkit,nessus,snort:
and try to determine what kind of services/processes are trying the whole time to access the internet from your pc,what is actually unusable - stop it;
know that every service ,which needs the root acl is a potential danger for your security ,regarding the internet access;
you can change also your passwords to something different after this issue:
no common words,min 8 letters+symbols+extra letters ,but do not use symbols like @ or €,cuz there are  still problems to find them on many keyboards;
try also to keep your system up-to-date;but note :
such kind of active scans(also over ssh) are really something common;so if you manage to make a reasonable iptables script ,then you'll be a OK.
LVL 14

Assisted Solution

canali earned 140 total points
ID: 16678419
Tracks recent connections and if connection attempts exceed 10 tries in 60 seconds from the same IP, it drops those packets.
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name sshbruteforce --rsource
iptables -A INPUT -m recent --rcheck --seconds 60 --hitcount 10 --name sshbruteforce --rsource -j DROP

DenyHosts is a script intended to be run by Linux system administrators to help thwart ssh server attack

or using PAM

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

LVL 15

Assisted Solution

m1tk4 earned 140 total points
ID: 16678644
What I usually do is I move SSH to a non-standard port, somewhere like 39283;).

Script kiddies typically scan networks for sshd listening on port 22 and they'll leave you alone. Never had anyone trying to brute-force my sshd after I did this.
LVL 34

Expert Comment

ID: 16679081
Which is fine if you're the only one legitimately accessing it....
LVL 15

Expert Comment

ID: 16679102
>> Which is fine if you're the only one legitimately accessing it....

Actually, I am not the only one. But whoever is legitimately accessing it (i.e. has shell username/pw) is also aware of the change;)
LVL 14

Assisted Solution

nltech earned 140 total points
ID: 16679225
use unique (i.e. don't use the same one you use anywhere else) and strong passwords (or use key-based auth instead),

disable root login via ssh (you can always sudo or su to root after login if needed),

move ssh to a nonstandard, unused port, close port 22, (this alone will pretty much stop what you're seeing in the logs)

restrict ssh to only those users who actually need it.

if the legitimate users of ssh are coming in from known and stable ip's you can also restrict ssh access to only those ip's with firewall rules.
LVL 14

Expert Comment

ID: 16679240
if you do want to actively block those attempting to brute force their way into your box, see http://www.pettingers.org/code/sshblack.html
LVL 16

Assisted Solution

xDamox earned 140 total points
ID: 16681256

You can use a module called pam_abl

LVL 12

Assisted Solution

Heem14 earned 140 total points
ID: 16682138
best practice, if possible is to only allow trusted IPs into SSH in the first place. This would be best done on your hardware firewall, but can also be done using the /etc/hosts.allow or /etc/hosts.deny file. I prefer to use hosts.deny as such

SSHD:  ALL EXCEPT   my.ip.address.allowed my.other.ip.allowed

LVL 14

Expert Comment

ID: 17107076
Again only for complete my previus answer

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

1. Introduction As many people are interested in Linux but not as many are interested or knowledgeable (enough) to install Linux on their system, here is a safe way to try out Linux on your existing (Windows) system. The idea is that you insta…
Often times it's very very easy to extend a volume on a Linux instance in AWS, but impossible to shrink it. I wanted to contribute to the experts-exchange community a way of providing a procedure that works on an AWS instance. It can also be used on…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Suggested Courses
Course of the Month18 days, 1 hour left to enroll

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question