My server has been getting pounded by fraudulent ssh login attempts. They seem to be coming from only a few ip addresses. Most concerning to me (I am new at server admin) is the following message (one of thousands of the same):
Oct 25 15:40:27 li26-243 sshd[26916]: Invalid user brian from 129.111.112.112
Oct 25 15:40:27 li26-243 sshd[26918]: reverse mapping checking getaddrinfo for 112.112.uthscsa.edu [129.111.112.112] failed - POSSIBLE BREAK-IN ATTEMPT!
While I would appreciate ideas on a better way to stop this, since there are only a few ip addresses, is there a way to block a specific address from accesing my server at all? I can’t seem to find an option like this in the SUSEFirewall config.
If you want to just block a single IP, you can add the following line to the file /etc/hosts.allow
ALL: 129.111.112.112 : deny
However, it has been my experience that you will get many more than just the one. I use a program called blockhosts which automatically detects the failed attempts and adds them to the hosts.allow file. It was fairly easy to setup, but if I remember right, I did have to modify it slightly for the way Suse adds lines to /var/log/messages.
It’s not in the repos, so you will have to manually install it. Just do a google search for instructions. Let me know if you need any more help.
fiddling with symptoms. I’d rather use a non-default port for ssh if possible, or use port triggering. In my case switching to a non-default port was enough, nobody seems to check port <censored>
Thanks, I have it installed and running. I noticed instrtuctions on the wiki for using it on openSUSE; however, there were a few details that were out of date; I made a couple changes.
Sorry to resurrect a dead thread, but I was just looking for this information also, and this thread was one of the top google links.
I’m running 12.2 and noticed my system was getting hammered by a few specific IP addresses. I found that if you edit the file
/etc/sysconfig/scripts/SuSEfirewall2-custom
you can add normal iptables rules in the section:
fw_custom_before_denyall() { # could also be named "after_forwardmasq()" # these are the rules to be loaded after IP forwarding and masquerading
# but before the logging and deny all section is set by SuSEfirewall2.
# You can use this hook to prevent the logging of annoying packets.
#example: prevent logging of talk requests from anywhere
#for chain in input_ext input_dmz input_int forward_int forward_ext forward_dmz; do
# iptables -A $chain -j DROP -p udp --dport 517:518
#done
iptables -A INPUT -s 141.212.121.10 -j DROP # I don't know why these IP's are scanning me - but they are not invited!!
iptables -A INPUT -s 98.196.255.87 -j DROP
iptables -A INPUT -s 98.143.36.192 -j DROP
iptables -A INPUT -s 46.165.222.84 -j DROP
# true
}
Restart the firewall and those IP addresses will be blocked.
like buckesfeld said, the easiest is to redirect from the router the calls on a different port. So if you ssh from outside your network instead of using default port 22 use any other in another range(>6000 for example) . That way they will have to extensive scanning on ports to find out on which port you respond to ssh. then in the router you redirect any calls to the ssh chosen port to port 22 on the machine you want. This way your iptables will not have to be up to date with ip banned and always other ip’s will try to knock on the ssh door again and again. You’ll just have to use a different command for ssh which includes the port when calling from outside your network.
so is there a way in openSUSE 13.2 to block single IP address using Yast? I’m not talking about specific port, like ssh. I want to block EVERYTHING, like mentioned rule:
On 2015-06-09 08:46, deano ferrari wrote:
>
> gianfrus;2714123 Wrote:
>> Hi bobbymcgill, I see that you commented the final ‘true’ statement in
>> the script. Is it right? What’s the function of this ‘true’?
>>
>> Thank you.
> It’s a comment (ie no function)
Yes, but it can be un-commented, and then it does something.
All of the functions in /etc/sysconfig/scripts/SuSEfirewall2-custom end
with a line with “true”. What does it do?
I have asked myself that question for over a decade.
I suspect the way it was written is that these scripts get called with an error trap set, so that a problematic iptables rule can cause the function to terminate early.
> It returns true (unconditionally). You’d need to ask the developers why
> they needed it to return like that.
I’m afraid they will not answer. The comments on the ‘/etc/sysconfig/scripts/SuSEfirewall2-custom’ file say:
# This is file is for SuSEfirewall2 and is an example for using
# the hooks which are supplied to load customized iptables rules.
#
# THERE IS NO HELP FOR USING HOOKS EXCEPT THIS FILE ! SO READ CAREFULLY !
# IT IS USEFUL TO CROSS-READ /sbin/SuSEfirewall2 TO SEE HOW HOOKS WORK !
Which to my somewhat limited understanding of English means that the file is not documented, nor will be, and no help will be given on it. And that we have to read the source code of /sbin/SuSEfirewall2 to understand it, for which we’d need to be a developer.
On 2015-06-09 23:56, deano ferrari wrote:
>
> deano_ferrari;2714344 Wrote:
>> It returns true (unconditionally). You’d need to ask the developers why
>> they needed it to return like that.
> I suspect the way it was written is that these scripts get called with
> an error trap set, so that a problematic iptables rule can cause the
> function to terminate early.