possible to prevent break-in attempts over ssh?

Message

dmccarthy · Post by **dmccarthy** » Wed Aug 16, 2006 10:28 am

Hi,
I've a gentoo box on the internet. I occasionally see ssh break-in attempts in my /var/log/auth.log file, lines like

Code: Select all

Aug 15 13:34:00 www1 sshd[18547]: Invalid user vincent from 80.48.253.130
Aug 15 13:34:02 www1 sshd[18549]: Invalid user women from 80.48.253.130

repeated ad-nauseam from the same address, trying different usernames. Now the box is safe from this sort of attack as it only allows access via public key, but the attempts annoy me. Is there any tool out there that denies access from a specific ip address if too many dodgy usernames are attempted? Indeed, is there some other way of thwarting such script-kiddie nonsense?
Thanks
Denis

Janne Pikkarainen · Post by **Janne Pikkarainen** » Wed Aug 16, 2006 10:34 am

emerge fail2ban. Very simple to setup and it automatically bans some IP address for some period of time after X failed login attempts.

wynn · Post by **wynn** » Wed Aug 16, 2006 11:23 am

The Handlers Diary Security Tip of the day: Handling brute-force login attempts has some useful tips.

dmccarthy · Post by **dmccarthy** » Wed Aug 16, 2006 3:50 pm

I'll try it - thanks

James Wells · Post by **James Wells** » Thu Aug 17, 2006 12:43 am

Greetings,

I tried fail2ban and didn't like it. Instead I use;

Code: Select all

iptables -A SSHD -p tcp -m state --state NEW -m recent --update --seconds 86400 --hitcount 3 --rttl -j DROPLOG
iptables -A SSHD -p tcp -m state --state NEW -m recent --set -j ACCEPT

iptables -A DROPLOG -m limit --limit 3/minute --limit-burst 10 -j LOG --log-prefix 'iptables Droplog: '
iptables -A DROPLOG -j DROP

Note that this method does not require any other packages than iptables and, for me anyway, works better than fail2ban and sshdfilter.

Janne Pikkarainen · Post by **Janne Pikkarainen** » Thu Aug 17, 2006 7:34 am

James Wells: Wow. You must be the first one I've seen who doesn't like fail2ban. What was so annoying in it?

James Wells · Post by **James Wells** » Sat Aug 19, 2006 2:42 am

Janne Pikkarainen wrote:James Wells: Wow. You must be the first one I've seen who doesn't like fail2ban. What was so annoying in it?

It's not so much that I dislike it, more that I don't 'like' it.

The reasoning is fairly simple. The core functionality of both fail2ban and sshdfilter is using iptables to block port 22 access to specific hosts, based on source IP address. The solution I posted does the exact same thing, just without the extra bells and whistles which I really see no need for.

I should probably point out that this is one of the things I love most about Unix... There is always more than one right way to do things.