Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Blocking ssh hammering
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Duplicate Threads
View previous topic :: View next topic  
Author Message
Stonic
n00b
n00b


Joined: 03 Jun 2007
Posts: 47

PostPosted: Mon Jul 16, 2007 8:08 am    Post subject: Blocking ssh hammering Reply with quote

Hey, I was just checking my logs lately and I notice something strange, and quite obvious a brute-force hacking attempt.. so I believe :P

I see this in my messages, flooding every second:

Quote:

Jul 16 16:09:30 hibecentral sshd[11191]: Invalid user prelude from 65.87.1.238
Jul 16 16:09:31 hibecentral sshd[11193]: Invalid user premed from 65.87.1.238
Jul 16 16:09:32 hibecentral sshd[11195]: Invalid user premed from 65.87.1.238
Jul 16 16:09:33 hibecentral sshd[11197]: Invalid user premed from 65.87.1.238
Jul 16 16:09:33 hibecentral sshd[11199]: Invalid user presto from 65.87.1.238
Jul 16 16:09:34 hibecentral sshd[11201]: Invalid user presto from 65.87.1.238
Jul 16 16:09:35 hibecentral sshd[11203]: Invalid user presto from 65.87.1.238
Jul 16 16:09:36 hibecentral sshd[11205]: Invalid user prince from 65.87.1.238
Jul 16 16:09:37 hibecentral sshd[11207]: Invalid user prince from 65.87.1.238
Jul 16 16:09:38 hibecentral sshd[11209]: Invalid user prince from 65.87.1.238


and so on

Is there a way to 'ban' or block this IP, or better yet, set up a set of "Acceptable" Public ip's for use of ssh?

Not only am I worried about my security, but this guy is using 8 kb/s of my bandwidth 24/7 :@

For the time being, I have actually shutdown ssh just in case this guy's script actually breaks through.
Back to top
View user's profile Send private message
bunder
Bodhisattva
Bodhisattva


Joined: 10 Apr 2004
Posts: 5937

PostPosted: Mon Jul 16, 2007 8:23 am    Post subject: Reply with quote

there is fail2ban... that uses iptables to ban the offenders from connecting to your services.

but what really grinds my gears is that we all sign a eula/tos saying we won't do this to others, so why can they do it to us? hosting companies are the worst for this, along with asian and south american countries. i've been CIDR-banning them at the router level for quite some time now, but they still keep coming.

give fail2ban a try, i've never used it myself, but from what i hear it works quite well and is highly customizable.

cheers
_________________
Neddyseagoon wrote:
The problem with leaving is that you can only do it once and it reduces your influence.

banned from #gentoo since sept 2017
Back to top
View user's profile Send private message
didymos
Advocate
Advocate


Joined: 10 Oct 2005
Posts: 4798
Location: California

PostPosted: Mon Jul 16, 2007 8:29 am    Post subject: Reply with quote

You can use iptables for that. This is a good place to start:
http://gentoo-wiki.com/HOWTO_Iptables_for_newbies

I haven't checked everything there so it could be fine, but the Gentoo Wiki has been known to be wrong about things. Grain of salt and all that.
_________________
Thomas S. Howard
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3938
Location: Hamburg

PostPosted: Mon Jul 16, 2007 9:42 am    Post subject: Reply with quote

Use the iptables module recent, here's an example:
Code:
$IPT -t filter -A INPUT --in-interface ppp0 -m recent --update --seconds 60 --name ppp0 -j DROP
$IPT -t filter -A INPUT --in-interface ppp0 -m recent --set                 --name ppp0 -j DROP
Back to top
View user's profile Send private message
pdr
l33t
l33t


Joined: 20 Mar 2004
Posts: 618

PostPosted: Mon Jul 16, 2007 10:06 am    Post subject: Reply with quote

If it is doable for you (firewalls at work, etc) then you can also just run sshd on a different port...
Back to top
View user's profile Send private message
bunder
Bodhisattva
Bodhisattva


Joined: 10 Apr 2004
Posts: 5937

PostPosted: Mon Jul 16, 2007 10:11 am    Post subject: Reply with quote

pdr wrote:
If it is doable for you (firewalls at work, etc) then you can also just run sshd on a different port...


you can... until they probe the port and see ssh running on it... and besides, for rfc saneness, why should we run our daemons on alternate ports? the ports specified for the services (ftp/ssh/etc) are the ones we're supposed to use. imagine running an ssh server on 80 and then google comes crawling around...
_________________
Neddyseagoon wrote:
The problem with leaving is that you can only do it once and it reduces your influence.

banned from #gentoo since sept 2017
Back to top
View user's profile Send private message
Cyker
Veteran
Veteran


Joined: 15 Jun 2006
Posts: 1746

PostPosted: Mon Jul 16, 2007 6:44 pm    Post subject: Reply with quote

Moving SSH to a different port will cut down hacking attempts by like 90% (Like all statistics, I am pulling this out my proverbial ;))

Most of them are automated, launched by 'script-kiddies', so they aren't very thorough.
I've only had one really determined attack, and that was only possible because my IP was static (I asked my ISP to put me back on dynamic after that...!)

A better solution than moving the port is to implement some sort of log-scanning that uses either IPTABLES or hosts.deny to block attacks.

I made my own one using SEC (Simple Event Correlator) and some custom rule scripts.

Off the top of my head, specifically written alternatives include:
denyhosts
fail2ban
sshguard
sshdfilter
Back to top
View user's profile Send private message
Stonic
n00b
n00b


Joined: 03 Jun 2007
Posts: 47

PostPosted: Tue Jul 17, 2007 4:09 am    Post subject: Reply with quote

Thanks for the replies!

I've got fail2ban set up, and things appear to have stopped!!

My password shouldn't be too easy to crack, and I will make sure to change it on a regular basis, to prevent further scares :)
Back to top
View user's profile Send private message
JeliJami
Veteran
Veteran


Joined: 17 Jan 2006
Posts: 1086
Location: Belgium

PostPosted: Tue Jul 17, 2007 8:20 am    Post subject: Reply with quote

for a lengthy discussion on this topic, and techniques that can be used:
[HOWTO] Get rid of SSH Brute Force Attempts / Script Kiddies
_________________
Unanswered Post Initiative | Search | FAQ
Former username: davjel
Back to top
View user's profile Send private message
Cyker
Veteran
Veteran


Joined: 15 Jun 2006
Posts: 1746

PostPosted: Tue Jul 17, 2007 9:23 am    Post subject: Reply with quote

Oooh, good call! I forgot about that... :)
Back to top
View user's profile Send private message
nixnut
Bodhisattva
Bodhisattva


Joined: 09 Apr 2004
Posts: 10974
Location: the dutch mountains

PostPosted: Tue Jul 17, 2007 3:32 pm    Post subject: Reply with quote

Moved from Networking & Security to Duplicate Threads.
See link above
_________________
Please add [solved] to the initial post's subject line if you feel your problem is resolved. Help answer the unanswered

talk is cheap. supply exceeds demand
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Duplicate Threads All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum