?
Solved

How to Block IP addresses that show up in /var/log/auth.log after so many attempts?

Posted on 2007-08-08
5
Medium Priority
?
388 Views
Last Modified: 2010-04-22
Like most auth.log we have multiple failed attempts from various IP, usually trying to login as root. Is there any way to block a specific IP once it attempts to authenticate and fails more than three times?
0
Comment
Question by:douggoss
5 Comments
 
LVL 16

Accepted Solution

by:
Blaz earned 1600 total points
ID: 19654117
It is possible to do, but it is simpler to limit login attempts from one IP in a timeframe:
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP

lines copied from:
http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/
0
 
LVL 19

Assisted Solution

by:http:// thevpn.guru
http:// thevpn.guru earned 400 total points
ID: 19654157
What you need is SNORT...it is an intrusion detection system for linux..you can setup the scenario asked for and other different scenarios through it.
0
 
LVL 16

Assisted Solution

by:Blaz
Blaz earned 1600 total points
ID: 19654173
One method for locking IPs exceding login attempts is described in http://blinkeye.ch/mediawiki/index.php/SSH_Blocking

Also, if possible, you should limit from which IPs you can connect to the server via port 22.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 19654186
Wouldn't it be a good thing to leave it as it is now ? This is the record you have for future hack problems.

Cheers,
Rajesh
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 19655027
Hi,

I have some suggestions for you:
- First of all I'd suggest you to change your SSH port to a non-standard, if possible  greater then 1024  port. Becasue most of these attacks come from pepople having a scanner scanning well known ports.
- Then you might block password as authentication method and use certifiate authentication instead.

rsivanandan: using a live production system as a honey-pot :) Thanks but no thanks :)
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Fine Tune your automatic Updates for Ubuntu / Debian
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month17 days, 12 hours left to enroll

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question