SSH Breakin Attempts

[JTHM]

Hey all, I've got a bit of a problem (or at least a potential problem). For the past few weeks, it seems somebody's been trying to break into my gentoo box over ssh. I've been getting several chunks like this in my /var/log/messages:

Sep 29 06:50:16 Nirvana sshd[4122]: Invalid user france from 219.139.190.249
Sep 29 06:50:24 Nirvana sshd[4392]: Invalid user raider from 219.139.190.249
Sep 29 06:50:31 Nirvana sshd[4580]: Invalid user movie from 219.139.190.249
Sep 29 06:50:37 Nirvana sshd[4796]: Invalid user movies from 219.139.190.249
Sep 29 06:50:44 Nirvana sshd[4931]: Invalid user judith from 219.139.190.249
Sep 29 06:50:50 Nirvana sshd[5151]: Invalid user default from 219.139.190.249
Sep 29 06:50:55 Nirvana sshd[5295]: Invalid user sean from 219.139.190.249
Sep 29 06:51:03 Nirvana sshd[5457]: Invalid user erik from 219.139.190.249
Sep 29 06:51:08 Nirvana sshd[5665]: Invalid user house from 219.139.190.249
Sep 29 06:51:14 Nirvana sshd[5839]: Invalid user status from 219.139.190.249
Sep 29 06:51:19 Nirvana sshd[6022]: Invalid user music from 219.139.190.249
Sep 29 06:51:25 Nirvana sshd[6159]: Invalid user test from 219.139.190.249
Sep 29 06:51:30 Nirvana sshd[6320]: Invalid user christian from 219.139.190.249
Sep 29 06:51:36 Nirvana sshd[6454]: Invalid user upload from 219.139.190.249
Sep 29 06:51:42 Nirvana sshd[6613]: Invalid user security from 219.139.190.249
Sep 29 06:51:47 Nirvana sshd[6748]: Invalid user scanner from 219.139.190.249
Sep 29 06:51:53 Nirvana sshd[6910]: Invalid user work from 219.139.190.249
Sep 29 06:52:00 Nirvana sshd[7069]: Invalid user eli from 219.139.190.249
Sep 29 06:52:09 Nirvana sshd[7338]: Invalid user ariel from 219.139.190.249
Sep 29 06:52:14 Nirvana sshd[7473]: Invalid user matt from 219.139.190.249
Sep 29 06:52:20 Nirvana sshd[7634]: Invalid user smoke from 219.139.190.249
Sep 29 06:52:25 Nirvana sshd[7794]: Invalid user papa from 219.139.190.249
Sep 29 06:52:31 Nirvana sshd[7928]: Invalid user beth from 219.139.190.249
Sep 29 06:52:36 Nirvana sshd[8088]: Invalid user samba from 219.139.190.249
Sep 29 06:52:44 Nirvana sshd[8222]: Invalid user library from 219.139.190.249
Sep 29 06:52:54 Nirvana sshd[8438]: Invalid user don from 219.139.190.249
Sep 29 06:52:59 Nirvana sshd[8680]: Invalid user webuser from 219.139.190.249
Sep 29 06:53:05 Nirvana sshd[8840]: Invalid user monitor from 219.139.190.249

This goes on for pages. Fortunately, the box isn't big (just for personal use really) and only has 2 or 3 accounts, all of them password protected.

It seems he hasn't been successful yet (although after each attack, X goes into a kind of half-freeze with X itself using 100% of the CPU and not responding to anything).

I was wondering a couple of things:

1.) Is there any way to secure sshd against something like this short of installing iptables? While each attempt in a session comes from the same IP address, each session comes from a different one. Is there any way to, say, lock out an IP after 3 bad usernames are attempted?

2.) Can I verify that he hasn't gotten in yet? The seemingly random attempts take place as recently as this afternoon, and I imagine he wouldn't be trying random names if he found a way in, but you never know (especially with the X freezing issue).

3.) Does anybody have any suggestions on ways to screw with him? Nothing malicious (he hasn't done any damage yet), but something practical-joke-like.

Thanks for the read, any suggestions are welcome.
_________________
Any problem can be solved. You just need to throw enough time and ninjas at it.

[davidgurvich]

A basic hosts.allow file

[JTHM]

Hmm, how would I go about setting up an automated blacklist file? I considered setting up something like that hosts.allow, but I remote in from work and a number of other places (not always known ahead of time), so I'd like to leave that option open if possible. For now, I just turned sshd off since I'm sitting at the machine. Thanks a lot for the help, though, that's a great fallback option since I'd just have to add my work IP to the list and just make sure I don't need to get in from anywhere unexpected.
_________________
Any problem can be solved. You just need to throw enough time and ninjas at it.

[Dammital]

Easy to install ("emerge denyhosts") and configure, and works pretty well.
See http://denyhosts.sourceforge.net/

[JTHM]

Thanks, I just installed denyhosts and started it up. Lets see if this helps prevent further attacks.
_________________
Any problem can be solved. You just need to throw enough time and ninjas at it.

[m.b.j.]

Try run your sshd on a differend port. Most script kiddies don't know how to change the target port on their "hack scripts"...

/etc/ssh/sshd_config

[John R. Graham]

You might also want to consider using public key authentication, especially if you are the principle user. Then you can set "PasswordAuthentication no" in your /etc/ssh/sshd_config and laugh at the futile script kiddie login attempts. I regularly report 'em to their ISP anyway, getting the contact information from the whois data.

- John

[mark_alec]

Moved from Networking & Security to Duplicate Threads.

See https://forums.gentoo.org/viewtopic-t-566744.html
_________________
www.gentoo.org.au || #gentoo-au