View previous topic :: View next topic |
Author |
Message |
Stonic n00b
Joined: 03 Jun 2007 Posts: 47
|
Posted: Mon Jul 16, 2007 8:08 am Post subject: Blocking ssh hammering |
|
|
Hey, I was just checking my logs lately and I notice something strange, and quite obvious a brute-force hacking attempt.. so I believe
I see this in my messages, flooding every second:
Quote: |
Jul 16 16:09:30 hibecentral sshd[11191]: Invalid user prelude from 65.87.1.238
Jul 16 16:09:31 hibecentral sshd[11193]: Invalid user premed from 65.87.1.238
Jul 16 16:09:32 hibecentral sshd[11195]: Invalid user premed from 65.87.1.238
Jul 16 16:09:33 hibecentral sshd[11197]: Invalid user premed from 65.87.1.238
Jul 16 16:09:33 hibecentral sshd[11199]: Invalid user presto from 65.87.1.238
Jul 16 16:09:34 hibecentral sshd[11201]: Invalid user presto from 65.87.1.238
Jul 16 16:09:35 hibecentral sshd[11203]: Invalid user presto from 65.87.1.238
Jul 16 16:09:36 hibecentral sshd[11205]: Invalid user prince from 65.87.1.238
Jul 16 16:09:37 hibecentral sshd[11207]: Invalid user prince from 65.87.1.238
Jul 16 16:09:38 hibecentral sshd[11209]: Invalid user prince from 65.87.1.238 |
and so on
Is there a way to 'ban' or block this IP, or better yet, set up a set of "Acceptable" Public ip's for use of ssh?
Not only am I worried about my security, but this guy is using 8 kb/s of my bandwidth 24/7 :@
For the time being, I have actually shutdown ssh just in case this guy's script actually breaks through. |
|
Back to top |
|
|
bunder Bodhisattva
Joined: 10 Apr 2004 Posts: 5937
|
Posted: Mon Jul 16, 2007 8:23 am Post subject: |
|
|
there is fail2ban... that uses iptables to ban the offenders from connecting to your services.
but what really grinds my gears is that we all sign a eula/tos saying we won't do this to others, so why can they do it to us? hosting companies are the worst for this, along with asian and south american countries. i've been CIDR-banning them at the router level for quite some time now, but they still keep coming.
give fail2ban a try, i've never used it myself, but from what i hear it works quite well and is highly customizable.
cheers _________________
Neddyseagoon wrote: | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017 |
|
Back to top |
|
|
didymos Advocate
Joined: 10 Oct 2005 Posts: 4798 Location: California
|
Posted: Mon Jul 16, 2007 8:29 am Post subject: |
|
|
You can use iptables for that. This is a good place to start:
http://gentoo-wiki.com/HOWTO_Iptables_for_newbies
I haven't checked everything there so it could be fine, but the Gentoo Wiki has been known to be wrong about things. Grain of salt and all that. _________________ Thomas S. Howard |
|
Back to top |
|
|
toralf Developer
Joined: 01 Feb 2004 Posts: 3938 Location: Hamburg
|
Posted: Mon Jul 16, 2007 9:42 am Post subject: |
|
|
Use the iptables module recent, here's an example: Code: | $IPT -t filter -A INPUT --in-interface ppp0 -m recent --update --seconds 60 --name ppp0 -j DROP
$IPT -t filter -A INPUT --in-interface ppp0 -m recent --set --name ppp0 -j DROP
|
|
|
Back to top |
|
|
pdr l33t
Joined: 20 Mar 2004 Posts: 618
|
Posted: Mon Jul 16, 2007 10:06 am Post subject: |
|
|
If it is doable for you (firewalls at work, etc) then you can also just run sshd on a different port... |
|
Back to top |
|
|
bunder Bodhisattva
Joined: 10 Apr 2004 Posts: 5937
|
Posted: Mon Jul 16, 2007 10:11 am Post subject: |
|
|
pdr wrote: | If it is doable for you (firewalls at work, etc) then you can also just run sshd on a different port... |
you can... until they probe the port and see ssh running on it... and besides, for rfc saneness, why should we run our daemons on alternate ports? the ports specified for the services (ftp/ssh/etc) are the ones we're supposed to use. imagine running an ssh server on 80 and then google comes crawling around... _________________
Neddyseagoon wrote: | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017 |
|
Back to top |
|
|
Cyker Veteran
Joined: 15 Jun 2006 Posts: 1746
|
Posted: Mon Jul 16, 2007 6:44 pm Post subject: |
|
|
Moving SSH to a different port will cut down hacking attempts by like 90% (Like all statistics, I am pulling this out my proverbial )
Most of them are automated, launched by 'script-kiddies', so they aren't very thorough.
I've only had one really determined attack, and that was only possible because my IP was static (I asked my ISP to put me back on dynamic after that...!)
A better solution than moving the port is to implement some sort of log-scanning that uses either IPTABLES or hosts.deny to block attacks.
I made my own one using SEC (Simple Event Correlator) and some custom rule scripts.
Off the top of my head, specifically written alternatives include:
denyhosts
fail2ban
sshguard
sshdfilter |
|
Back to top |
|
|
Stonic n00b
Joined: 03 Jun 2007 Posts: 47
|
Posted: Tue Jul 17, 2007 4:09 am Post subject: |
|
|
Thanks for the replies!
I've got fail2ban set up, and things appear to have stopped!!
My password shouldn't be too easy to crack, and I will make sure to change it on a regular basis, to prevent further scares |
|
Back to top |
|
|
JeliJami Veteran
Joined: 17 Jan 2006 Posts: 1086 Location: Belgium
|
|
Back to top |
|
|
Cyker Veteran
Joined: 15 Jun 2006 Posts: 1746
|
Posted: Tue Jul 17, 2007 9:23 am Post subject: |
|
|
Oooh, good call! I forgot about that... |
|
Back to top |
|
|
nixnut Bodhisattva
Joined: 09 Apr 2004 Posts: 10974 Location: the dutch mountains
|
Posted: Tue Jul 17, 2007 3:32 pm Post subject: |
|
|
Moved from Networking & Security to Duplicate Threads.
See link above _________________ Please add [solved] to the initial post's subject line if you feel your problem is resolved. Help answer the unanswered
talk is cheap. supply exceeds demand |
|
Back to top |
|
|
|