Page 1 of 3 123 LastLast
Results 1 to 10 of 24

Thread: Help blocking failed SSH login attempts...

  1. #1

    Default Help blocking failed SSH login attempts...

    Hello,

    I have an SSH server setup on my machine. For security reasons, I have disabled keyboard authentication and have allowed only key based authentication. I have also installed a program called DenyHosts which is a Python program that is supposed to block failed SSH login attempts. It has added a few IP addresses to my /etc/hosts.deny file. I'm not 100% sure if it's working or not. The IP addresses that are listed in /etc/hosts.deny still are able to connect t my machine. I see brute-force type attacks going on..this worries me, even though they can't get in. There are a LOT!! of these, all from the same IP address.

    Here's a sample of the log file:
    Code:
    ...
    2015-06-22T16:59:32.544648-04:00 linux-lz5i sshd[8744]: User root from 104.236.196.56 not allowed because not listed in AllowUsers
    2015-06-22T16:59:32.545272-04:00 linux-lz5i sshd[8744]: input_userauth_request: invalid user root [preauth]
    2015-06-22T16:59:32.580041-04:00 linux-lz5i sshd[8744]: Received disconnect from 104.236.196.56: 11: Bye Bye [preauth]
    2015-06-22T16:59:33.229593-04:00 linux-lz5i sshd[8746]: User root from 104.236.196.56 not allowed because not listed in AllowUsers
    2015-06-22T16:59:33.230238-04:00 linux-lz5i sshd[8746]: input_userauth_request: invalid user root [preauth]
    2015-06-22T16:59:33.261910-04:00 linux-lz5i sshd[8746]: Received disconnect from 104.236.196.56: 11: Bye Bye [preauth]
    2015-06-22T16:59:33.575300-04:00 linux-lz5i sshd[8748]: User root from 104.236.196.56 not allowed because not listed in AllowUsers
    ...
    I just rotated the log and it's already 541k from this guy. DenyHosts added him to the /etc/hosts.deny file. I'm thinking the /etc/hosts.deny file just prevents the IP from logging in, not connecting to my system. Is there any easy way to automatically make IP addresses that try to connect unsuccessfully to my system more than once within, lets say, 30 minutes, get banned permanently? So when they tried to connect, it appears that my machine just completely vanished from the face of the earth? Just not for that port, but ALL of my ports? Any help would be greatly appreciated.

    Thank you.

    P.S. - I was thinking maybe an iptables rule? Perhaps I could modify the denyhosts so instead of adding IPs to a /etc/hosts, it could add them to an /etc/blacklists file and my iptables could read from that file or maybe I could modify it so it runs the iptables rule automatically to block the users?

  2. #2
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Help blocking failed SSH login attempts...

    On 2015-06-22 23:56, Spork Schivago wrote:

    > P.S. - I was thinking maybe an iptables rule?


    There is already a rule in the SuSEfirewall for this. You just have to
    read the file and configure the entry...

    Look for "FW_SERVICES_ACCEPT_EXT="

    --
    Cheers / Saludos,

    Carlos E. R.

    (from 13.1 x86_64 "Bottle" (Minas Tirith))

  3. #3

    Default Re: Help blocking failed SSH login attempts...

    Quote Originally Posted by robin_listas View Post
    On 2015-06-22 23:56, Spork Schivago wrote:

    > P.S. - I was thinking maybe an iptables rule?


    There is already a rule in the SuSEfirewall for this. You just have to
    read the file and configure the entry...

    Look for "FW_SERVICES_ACCEPT_EXT="

    --
    Cheers / Saludos,

    Carlos E. R.

    (from 13.1 x86_64 "Bottle" (Minas Tirith))
    Thanks for taking the time to respond to my question Carlos. I'm not really seeing how the FW_SERVICES_ACCEPT_EXT can help me automatically block IP addresses who try to connect to my SSH port after 1 failed attempt...in the SuSEFirewall2, under the "FW_SERVICES_ACCEPT_EXT=" I have this:

    FW_SERVICES_ACCEPT_EXT="0/0,tcp,51413
    0/0,udp,51413
    0/0,tcp,22
    0/0,udp,22
    192.168.2.3/24,tcp,80


    My understanding was the above allowed traffic from any network with any subnet mask to connect to my machine via TCP or UDP on port 51413, on port 22, and to only allow traffic from one computer on the local area network (192.168.2.3, subnet mask 255.255.255.0) to connect on port 80.

    I could set it up so port 22 was closed off to the rest of the world, but then I have the problem of the right people who don't live here not being able to connect from the outside world...

    Their IP addresses aren't static. They change, sometimes regularly. Hence the reason I wanted a hey, you got one chance to connect. If you don't connect successfully you're not the right person, good bye! thing.

  4. #4
    Join Date
    Jul 2008
    Location
    Seattle, WA
    Posts
    17,057

    Default Re: Help blocking failed SSH login attempts...

    On Mon, 22 Jun 2015 23:46:01 +0000, Spork Schivago wrote:

    > robin_listas;2716448 Wrote:
    >> On 2015-06-22 23:56, Spork Schivago wrote:
    >>
    >> > P.S. - I was thinking maybe an iptables rule?

    >>
    >> There is already a rule in the SuSEfirewall for this. You just have to
    >> read the file and configure the entry...
    >>
    >> Look for "FW_SERVICES_ACCEPT_EXT="
    >>
    >> --
    >> Cheers / Saludos,
    >>
    >> Carlos E. R.
    >>
    >> (from 13.1 x86_64 "Bottle" (Minas Tirith))

    >
    > Thanks for taking the time to respond to my question Carlos. I'm not
    > really seeing how the FW_SERVICES_ACCEPT_EXT can help me automatically
    > block IP addresses who try to connect to my SSH port after 1 failed
    > attempt...in the SuSEFirewall2, under the "FW_SERVICES_ACCEPT_EXT=" I
    > have this:
    >
    > FW_SERVICES_ACCEPT_EXT="0/0,tcp,51413 0/0,udp,51413 0/0,tcp,22
    > 0/0,udp,22 192.168.2.3/24,tcp,80
    >
    >
    > My understanding was the above allowed traffic from any network with any
    > subnet mask to connect to my machine via TCP or UDP on port 51413, on
    > port 22, and to only allow traffic from one computer on the local area
    > network (192.168.2.3, subnet mask 255.255.255.0) to connect on port 80.
    >
    > I could set it up so port 22 was closed off to the rest of the world,
    > but then I have the problem of the right people who don't live here not
    > being able to connect from the outside world...
    >
    > Their IP addresses aren't static. They change, sometimes regularly.
    > Hence the reason I wanted a hey, you got one chance to connect. If you
    > don't connect successfully you're not the right person, good bye! thing.


    An easy solution would be to listen on a port other than 22. I seem to
    recall something about DenyHosts maybe not working well with tcp wrappers
    - I use blockhosts myself, and it works OK with ssh.

    Jim



    --
    Jim Henderson
    openSUSE Forums Administrator
    Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

  5. #5
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Help blocking failed SSH login attempts...

    On 2015-06-23 01:46, Spork Schivago wrote:

    > Their IP addresses aren't static. They change, sometimes regularly.
    > Hence the reason I wanted a hey, you got one chance to connect. If you
    > don't connect successfully you're not the right person, good bye! thing.


    The comments on the file say exactly what to do:

    Code:
    #    Allow max three ssh connects per minute from the same IP address:
    #      "0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
    
    ie:
    
    FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"

    Perhaps you were looking at something else? It is exactly what you asked
    for, IMO...

    --
    Cheers / Saludos,

    Carlos E. R.

    (from 13.1 x86_64 "Bottle" (Minas Tirith))

  6. #6

    Default Re: Help blocking failed SSH login attempts...

    Quote Originally Posted by robin_listas View Post
    On 2015-06-23 01:46, Spork Schivago wrote:

    > Their IP addresses aren't static. They change, sometimes regularly.
    > Hence the reason I wanted a hey, you got one chance to connect. If you
    > don't connect successfully you're not the right person, good bye! thing.


    The comments on the file say exactly what to do:

    Code:
    #    Allow max three ssh connects per minute from the same IP address:
    #      "0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
    
    ie:
    
    FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"

    Perhaps you were looking at something else? It is exactly what you asked
    for, IMO...

    --
    Cheers / Saludos,

    Carlos E. R.

    (from 13.1 x86_64 "Bottle" (Minas Tirith))
    Oh my god! That's perfect!!! How the heck did I miss that?? If I remove the blockseconds, will it block them for life (or until I remove them from the iptables rule set)? I'm assuming that's how it blocks them, by adding a rule to iptables... I couldn't really find what the blockseconds does. According to the file, it's the seconds parameter. One more thing here Carlos, from reading the comments that I've missed every other time I read the file, the way it's worded, it almost sounds like it blocks anyone who's connecting three times in 1 minute. Does that mean even if they are successful it will block them? I can't really see a reason as to why they'd be connecting so quick like but I just want to make sure I understand this rule. Thank you!!!

  7. #7
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Help blocking failed SSH login attempts...

    On 2015-06-23 04:26, Spork Schivago wrote:
    >
    > robin_listas;2716464 Wrote:



    > Oh my god! That's perfect!!! How the heck did I miss that?? If I
    > remove the blockseconds, will it block them for life (or until I remove
    > them from the iptables rule set)?


    No, default is 60 seconds. Just set it higher.

    > I'm assuming that's how it blocks
    > them, by adding a rule to iptables... I couldn't really find what the
    > blockseconds does. According to the file, it's the seconds parameter.
    > One more thing here Carlos, from reading the comments that I've missed
    > every other time I read the file, the way it's worded, it almost sounds
    > like it blocks anyone who's connecting three times in 1 minute.


    Yes.

    > Does
    > that mean even if they are successful it will block them? I can't
    > really see a reason as to why they'd be connecting so quick like but I
    > just want to make sure I understand this rule. Thank you!!!


    I don't know exactly how it works, but it needs three failed attempts in
    one minute, with those settings.

    Notice that "blockseconds" is not the time the connection from that IP
    is blocked, but the detection window. Say, they attempt once every 30
    seconds, the rule will not trigger. But they try once every 15", and it
    will. Then that IP will be blocked instantly, and I don't remember when
    it times out.

    If you need more control, you have to write the iptables rule yourself.
    But I would say that just the trick in SuSEfirewall would do the trick,
    with little resources.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 13.1 x86_64 "Bottle" at Telcontar)

  8. #8
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,623
    Blog Entries
    3

    Default Re: Help blocking failed SSH login attempts...

    Quote Originally Posted by Spork_Schivago View Post
    I can't really see a reason as to why they'd be connecting so quick like but I just want to make sure I understand this rule.
    Code:
    for file in file1 file2 file3 file4
    do
       rsync -ptog hostname:/path/to/directory/$file .
    done
    That will probably make 4 connections in rapid succession.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  9. #9

    Default Re: Help blocking failed SSH login attempts...

    Quote Originally Posted by nrickert View Post
    Code:
    for file in file1 file2 file3 file4
    do
       rsync -ptog hostname:/path/to/directory/$file .
    done
    That will probably make 4 connections in rapid succession.
    Yes, you're more than likely right. I couldn't think of any reasons but being a coder, I always like to write code for the unexpected, you know, cover all the angles so there isn't any errors or anything when the users are using it. Thanks!

  10. #10

    Default Re: Help blocking failed SSH login attempts...

    Quote Originally Posted by robin_listas View Post
    On 2015-06-23 04:26, Spork Schivago wrote:
    >
    > robin_listas;2716464 Wrote:



    > Oh my god! That's perfect!!! How the heck did I miss that?? If I
    > remove the blockseconds, will it block them for life (or until I remove
    > them from the iptables rule set)?


    No, default is 60 seconds. Just set it higher.

    > I'm assuming that's how it blocks
    > them, by adding a rule to iptables... I couldn't really find what the
    > blockseconds does. According to the file, it's the seconds parameter.
    > One more thing here Carlos, from reading the comments that I've missed
    > every other time I read the file, the way it's worded, it almost sounds
    > like it blocks anyone who's connecting three times in 1 minute.


    Yes.

    > Does
    > that mean even if they are successful it will block them? I can't
    > really see a reason as to why they'd be connecting so quick like but I
    > just want to make sure I understand this rule. Thank you!!!


    I don't know exactly how it works, but it needs three failed attempts in
    one minute, with those settings.

    Notice that "blockseconds" is not the time the connection from that IP
    is blocked, but the detection window. Say, they attempt once every 30
    seconds, the rule will not trigger. But they try once every 15", and it
    will. Then that IP will be blocked instantly, and I don't remember when
    it times out.

    If you need more control, you have to write the iptables rule yourself.
    But I would say that just the trick in SuSEfirewall would do the trick,
    with little resources.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 13.1 x86_64 "Bottle" at Telcontar)

    So if I have this rule:
    Code:
    0/0,tcp,22,,hitcount=1,blockseconds=180,recentname=ssh
    That means if someone tries to log in once and they're unsuccessful, they're blocked, right? The time shouldn't matter because hit count is set to one...or does it mean that on their second failed attempt within 3 minutes, they get blocked? Sorry for all the questions. I got a domain now and I'm working on setting up a website but I want to have the test code all ran on my local Apache server before it's uploaded to the site. I plan on having a friend or two of mine help me with the site. I just want to make sure I'm secure and everything.

Page 1 of 3 123 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •