repetitive ssh logins by bots - any way to stop these?

Message

dilbot · Post by **dilbot** » Thu Aug 10, 2006 8:09 pm

I've noticed bots trying to repetitively ssh into my mail/web server, hundreds of times. Mostly from Asia. Is there a way to get these IP's locked out automatically after say 10 or 20 trys?

schwicky · Post by **schwicky** » Thu Aug 10, 2006 8:25 pm

Have a look at fail2ban. It allows you to specify iptables rules to block abusive ssh/apache/ftp/... failed logins

kilianh · Post by **kilianh** » Thu Aug 10, 2006 9:07 pm

To make ssh itself less prone to attacks like this I always use one or more of the following three techniques:

Use key based logins and disable password logins. Very secure and fairly simple to set up
Use iptables to allow ssh access from only a select few ip addresses (or only a single one). Very secure
Run ssh on a different port. Security by obscurity

Haven't looked at fail2ban yet but I highly recommend the first option

svancouw · Post by **svancouw** » Thu Aug 10, 2006 11:13 pm

We just noticed yesterday at 1 a.m. that my servers were getting hit pretty hard with that from Romania, and we installed denyhosts. That allows you to set how many attempts are made before they are banned, and for how long. Then, if they do it again, they are banned permenently. All IPs and hostnames are blocked by user hosts.deny.

This is a very effective means of stopping this sort of activity. It does use /var/log/messages to set up the banned IPs, so you might want to clear that log first, or else it will accidentally ban valid IPs. That is, for example, if you forgot your password and couldn't log in via ssh three times in a row, it would add your source IP to the banned list.

Our settings are three attempts, banned for a week. After that week, three more attempts, banned permanently. If you want to re-enable someone, just delete their IP or hostname from hosts.deny.

Hope this helps!

Sean

phatscum · Post by **phatscum** » Thu Aug 10, 2006 11:21 pm

I'll second fail2ban. Very easy and effective.

dilbot · Post by **dilbot** » Fri Aug 11, 2006 3:31 am

All excellent suggestions - I've started looking at each package. Thanks for your help!

James Wells · Post by **James Wells** » Wed Aug 16, 2006 2:24 am

Greetings,

If you already have IP tables installed, a simple solution is to modify your /etc/ssh/sshd_config file, changing MaxAuthTries to 2. This will tell sshd to only allow two attempts per connect. Then you simply add the following to your iptables rules;

Code: Select all

iptables -A SSHD -p tcp -m state --state NEW -m recent --update --seconds 86400 --hitcount 3 --rttl -j DROPLOG
iptables -A SSHD -p tcp -m state --state NEW -m recent --set -j ACCEPT

iptables -A DROPLOG -m limit --limit 3/minute --limit-burst 10 -j LOG --log-prefix 'iptables Droplog: '
iptables -A DROPLOG -j DROP

The first line says that if a site attempts to connect to SSH more than 3 times, within 24 hours, send that site to the table called DROPLOG. Droplog then generates a syslog entry and drops the connection and all future attempts for the next 24 hours.

I have found that this system works very well for me. YMMV of course.

mahuani · Post by **mahuani** » Sat Aug 19, 2006 5:27 am

Another option might be denyhosts. It gives loads of configuration options and the ability to sync w/ a central server that keeps a list of ips know to be attacking.

Code: Select all

emerge app-admin/denyhosts

kamagurka · Post by **kamagurka** » Sun Aug 20, 2006 6:23 pm

I found that using a really strange portnumber for ssh works fine. If that fails, a big cardboard "no bots alowed here" sign on the workstation does wonders, too =D

.:chrome:. · Post by **.:chrome:.** » Sun Aug 20, 2006 6:35 pm

kamagurka wrote:I found that using a really strange portnumber for ssh works fine. If that fails, a big cardboard "no bots alowed here" sign on the workstation does wonders, too =D

this can't solve the problem.
a portscan can found the new port number, and this method doesn't work with firewalls

the right solution is using tools such portsentry, denyhosts, or knockd

kamagurka · Post by **kamagurka** » Sun Aug 20, 2006 6:47 pm

You are, of course, right. But doesn't choosing a very high non-standard portnumber protect you from portscans?

.:chrome:. · Post by **.:chrome:.** » Sun Aug 20, 2006 9:00 pm

kamagurka wrote:You are, of course, right. But doesn't choosing a very high non-standard portnumber protect you from portscans?

this is true... but in this manner you can connect to your SSH server if you are over a firewall that (correctly) opens just port 22 and not others

kamagurka · Post by **kamagurka** » Sun Aug 20, 2006 10:21 pm

k.gothmog wrote:
kamagurka wrote:You are, of course, right. But doesn't choosing a very high non-standard portnumber protect you from portscans?
this is true... but in this manner you can connect to your SSH server if you are over a firewall that (correctly) opens just port 22 and not others

I don't know how you do it, but I just forwarded the port. Or do you mean when you're behind a firewall that you don't control?

James Wells · Post by **James Wells** » Sun Aug 20, 2006 10:26 pm

kamagurka wrote:You are, of course, right. But doesn't choosing a very high non-standard portnumber protect you from portscans?

Yes and No. This will protect you from most script kiddie tools, however, those tools generally only scan standard ports. Sadly, most of the bot / zombie nets are using tools vastly superior to what script kiddies use, tools that specifically scan ports in the 56K - 64K range specifically to look for these types of openings. That's actually the reason I have given up on hiding ports, and instead have opted to simply use abuse blockers, like the IP tables piece I did above.