Help blocking failed SSH login attempts...

Hello,

I have an SSH server setup on my machine. For security reasons, I have disabled keyboard authentication and have allowed only key based authentication. I have also installed a program called DenyHosts which is a Python program that is supposed to block failed SSH login attempts. It has added a few IP addresses to my /etc/hosts.deny file. I’m not 100% sure if it’s working or not. The IP addresses that are listed in /etc/hosts.deny still are able to connect t my machine. I see brute-force type attacks going on…this worries me, even though they can’t get in. There are a LOT!! of these, all from the same IP address.

Here’s a sample of the log file:


...
2015-06-22T16:59:32.544648-04:00 linux-lz5i sshd[8744]: User root from 104.236.196.56 not allowed because not listed in AllowUsers
2015-06-22T16:59:32.545272-04:00 linux-lz5i sshd[8744]: input_userauth_request: invalid user root [preauth]
2015-06-22T16:59:32.580041-04:00 linux-lz5i sshd[8744]: Received disconnect from 104.236.196.56: 11: Bye Bye [preauth]
2015-06-22T16:59:33.229593-04:00 linux-lz5i sshd[8746]: User root from 104.236.196.56 not allowed because not listed in AllowUsers
2015-06-22T16:59:33.230238-04:00 linux-lz5i sshd[8746]: input_userauth_request: invalid user root [preauth]
2015-06-22T16:59:33.261910-04:00 linux-lz5i sshd[8746]: Received disconnect from 104.236.196.56: 11: Bye Bye [preauth]
2015-06-22T16:59:33.575300-04:00 linux-lz5i sshd[8748]: User root from 104.236.196.56 not allowed because not listed in AllowUsers
...

I just rotated the log and it’s already 541k from this guy. DenyHosts added him to the /etc/hosts.deny file. I’m thinking the /etc/hosts.deny file just prevents the IP from logging in, not connecting to my system. Is there any easy way to automatically make IP addresses that try to connect unsuccessfully to my system more than once within, lets say, 30 minutes, get banned permanently? So when they tried to connect, it appears that my machine just completely vanished from the face of the earth? Just not for that port, but ALL of my ports? Any help would be greatly appreciated.

Thank you.

P.S. - I was thinking maybe an iptables rule? Perhaps I could modify the denyhosts so instead of adding IPs to a /etc/hosts, it could add them to an /etc/blacklists file and my iptables could read from that file or maybe I could modify it so it runs the iptables rule automatically to block the users?

On 2015-06-22 23:56, Spork Schivago wrote:

> P.S. - I was thinking maybe an iptables rule?

There is already a rule in the SuSEfirewall for this. You just have to
read the file and configure the entry…

Look for “FW_SERVICES_ACCEPT_EXT=”


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

Thanks for taking the time to respond to my question Carlos. I’m not really seeing how the FW_SERVICES_ACCEPT_EXT can help me automatically block IP addresses who try to connect to my SSH port after 1 failed attempt…in the SuSEFirewall2, under the “FW_SERVICES_ACCEPT_EXT=” I have this:

FW_SERVICES_ACCEPT_EXT="0/0,tcp,51413
0/0,udp,51413
0/0,tcp,22
0/0,udp,22
192.168.2.3/24,tcp,80

My understanding was the above allowed traffic from any network with any subnet mask to connect to my machine via TCP or UDP on port 51413, on port 22, and to only allow traffic from one computer on the local area network (192.168.2.3, subnet mask 255.255.255.0) to connect on port 80.

I could set it up so port 22 was closed off to the rest of the world, but then I have the problem of the right people who don’t live here not being able to connect from the outside world…

Their IP addresses aren’t static. They change, sometimes regularly. Hence the reason I wanted a hey, you got one chance to connect. If you don’t connect successfully you’re not the right person, good bye! thing.

On Mon, 22 Jun 2015 23:46:01 +0000, Spork Schivago wrote:

> robin_listas;2716448 Wrote:
>> On 2015-06-22 23:56, Spork Schivago wrote:
>>
>> > P.S. - I was thinking maybe an iptables rule?
>>
>> There is already a rule in the SuSEfirewall for this. You just have to
>> read the file and configure the entry…
>>
>> Look for “FW_SERVICES_ACCEPT_EXT=”
>>
>> –
>> Cheers / Saludos,
>>
>> Carlos E. R.
>>
>> (from 13.1 x86_64 “Bottle” (Minas Tirith))
>
> Thanks for taking the time to respond to my question Carlos. I’m not
> really seeing how the FW_SERVICES_ACCEPT_EXT can help me automatically
> block IP addresses who try to connect to my SSH port after 1 failed
> attempt…in the SuSEFirewall2, under the “FW_SERVICES_ACCEPT_EXT=” I
> have this:
>
> FW_SERVICES_ACCEPT_EXT="0/0,tcp,51413 0/0,udp,51413 0/0,tcp,22
> 0/0,udp,22 192.168.2.3/24,tcp,80
>
>
> My understanding was the above allowed traffic from any network with any
> subnet mask to connect to my machine via TCP or UDP on port 51413, on
> port 22, and to only allow traffic from one computer on the local area
> network (192.168.2.3, subnet mask 255.255.255.0) to connect on port 80.
>
> I could set it up so port 22 was closed off to the rest of the world,
> but then I have the problem of the right people who don’t live here not
> being able to connect from the outside world…
>
> Their IP addresses aren’t static. They change, sometimes regularly.
> Hence the reason I wanted a hey, you got one chance to connect. If you
> don’t connect successfully you’re not the right person, good bye! thing.

An easy solution would be to listen on a port other than 22. I seem to
recall something about DenyHosts maybe not working well with tcp wrappers

  • I use blockhosts myself, and it works OK with ssh.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

On 2015-06-23 01:46, Spork Schivago wrote:

> Their IP addresses aren’t static. They change, sometimes regularly.
> Hence the reason I wanted a hey, you got one chance to connect. If you
> don’t connect successfully you’re not the right person, good bye! thing.

The comments on the file say exactly what to do:


#    Allow max three ssh connects per minute from the same IP address:
#      "0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"

ie:

FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"

Perhaps you were looking at something else? It is exactly what you asked
for, IMO…


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

Oh my god! That’s perfect!!! How the heck did I miss that?? If I remove the blockseconds, will it block them for life (or until I remove them from the iptables rule set)? I’m assuming that’s how it blocks them, by adding a rule to iptables… I couldn’t really find what the blockseconds does. According to the file, it’s the seconds parameter. One more thing here Carlos, from reading the comments that I’ve missed every other time I read the file, the way it’s worded, it almost sounds like it blocks anyone who’s connecting three times in 1 minute. Does that mean even if they are successful it will block them? I can’t really see a reason as to why they’d be connecting so quick like but I just want to make sure I understand this rule. Thank you!!!


for file in file1 file2 file3 file4
do
   rsync -ptog hostname:/path/to/directory/$file .
done

That will probably make 4 connections in rapid succession.

On 2015-06-23 04:26, Spork Schivago wrote:
>
> robin_listas;2716464 Wrote:

> Oh my god! That’s perfect!!! How the heck did I miss that?? If I
> remove the blockseconds, will it block them for life (or until I remove
> them from the iptables rule set)?

No, default is 60 seconds. Just set it higher.

> I’m assuming that’s how it blocks
> them, by adding a rule to iptables… I couldn’t really find what the
> blockseconds does. According to the file, it’s the seconds parameter.
> One more thing here Carlos, from reading the comments that I’ve missed
> every other time I read the file, the way it’s worded, it almost sounds
> like it blocks anyone who’s connecting three times in 1 minute.

Yes.

> Does
> that mean even if they are successful it will block them? I can’t
> really see a reason as to why they’d be connecting so quick like but I
> just want to make sure I understand this rule. Thank you!!!

I don’t know exactly how it works, but it needs three failed attempts in
one minute, with those settings.

Notice that “blockseconds” is not the time the connection from that IP
is blocked, but the detection window. Say, they attempt once every 30
seconds, the rule will not trigger. But they try once every 15", and it
will. Then that IP will be blocked instantly, and I don’t remember when
it times out.

If you need more control, you have to write the iptables rule yourself.
But I would say that just the trick in SuSEfirewall would do the trick,
with little resources.


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

Yes, you’re more than likely right. I couldn’t think of any reasons but being a coder, I always like to write code for the unexpected, you know, cover all the angles so there isn’t any errors or anything when the users are using it. Thanks!

So if I have this rule:


0/0,tcp,22,,hitcount=1,blockseconds=180,recentname=ssh

That means if someone tries to log in once and they’re unsuccessful, they’re blocked, right? The time shouldn’t matter because hit count is set to one…or does it mean that on their second failed attempt within 3 minutes, they get blocked? Sorry for all the questions. I got a domain now and I’m working on setting up a website but I want to have the test code all ran on my local Apache server before it’s uploaded to the site. I plan on having a friend or two of mine help me with the site. I just want to make sure I’m secure and everything.

Hi,

IMHO, that is what all coders/developers/programmers are dreaming, a ‘BUG FREE CODE’ but that is just wishful thinking…

Quoting someone who wrote this.

The programmer who has never written a buggy program is a figment of someone’s imagination

Just saying…

On 2015-06-23 06:06, Spork Schivago wrote:

> So if I have this rule:
>
> Code:
> --------------------
>
> 0/0,tcp,22,hitcount=1,blockseconds=180,recentname=ssh
>
> --------------------
>
>
> That means if someone tries to log in once and they’re unsuccessful,
> they’re blocked, right?

Yes, but I would not do that. Mistakes by people that should connect are
possible. It happens to me…

An attacker will try as many times as possible. Possibly even if the
firewall blocks him. It is a script and is tireless…

> The time shouldn’t matter because hit count is
> set to one…or does it mean that on their second failed attempt within
> 3 minutes, they get blocked?

The second attempt would be rejected, yes.

And another attempt after 3 minutes would work.

> site. I just want to make sure I’m secure and everything.

Unfortunately, “being sure” is not possible…


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

On 2015-06-23 04:56, nrickert wrote:
> That will probably make 4 connections in rapid succession.

I’m unsure if the “recent” rule counts any attempts, or only failed
attempts. Maybe all.


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

I allow only public key authentication. That seems to me to be secure enough. I see the breakin attempts as filling my log files, but not otherwise doing any harm.

Move that will make 99,99% of those go away;
Move ssh to another port.

That, combined with PKI and keeping your system up to date will eliminate virtually all threats.

LOL, yeah! I didn’t mean to imply that I don’t make my mistakes. I should of said when I write code, I try to write for the unexpected. For example, say I write a C program that asks for the users name. I could assume that when I ask for their name, the users going to enter their name. But I’ll check to see if they enter stuff that isn’t a name. Like just enter. Or maybe numbers, etc. No matter how hard I try, it seems there’s always something I forget! Sometimes I don’t realize it till way later down the road.

I guess the point that I was trying to make was just because I couldn’t think of a reason as to why a valid user would try to connect to my system repeatedly in a very short amount of time didn’t mean there wasn’t a valid reason. That was the point in me asking if it would block successful logins or just failed ones.

I’m working on some webpage stuff and there’s a LOT of bugs! I’m slowly learning but web design was never my strong suit.

Yeah, same here. I only allow public key authentication. That’s why I was thinking a one attempt rule would be okay. With a public key, there’s no whoops, I typed the wrong password. I guess they could accidentally set it up wrong and perhaps try using their SSH program without the key, on accident, and maybe that’s why I should set the count to more than 1…

What would be the lowest number I would want to go? I seem to remember, back when I was in high school or some time around then, I used to run port scanners on websites (just trying to learn, that was all) and they could do a decent amount of ports in a short time. I would think though, with this firewall rule that I now have set, even if I had the port set to something like 200, it’d take a portscanner an extremely long time to get that high because of the 3 minute wait per failed attempt…

Is there a limit as to how high I can go? If I wanted something like port 65,536, would I be able to have that port? Just as an example…or port 700,000? Thanks.

Thanks Carlos. I didn’t have a lot of sleep yesterday and was going on empty! I understand the rule now. I appreciate the help. I believe you said the only way to get it to permanently block an IP is to write my own IP tables rule? I’m using public key authentication and I’ve disabled keyboard-authentication completely. That’s why I was thinking if they couldn’t connect on the first try, they weren’t a valid user. I guess if they setup the SSH client incorrectly and don’t point it to the key (they’re stored on a thumb drive and they’re required to remove the thumb drive when they’re not connected), it could cause problems. The thumb drives have a stored session file on it and most of my friends use Windows so I’ve thrown a modified portable version of Putty that can read and store keys in a file instead of the registry. All they have to do is point and click. Stuff could still go wrong though I guess so I’ll change it to 3 tries before they’re blocked.

The TCP ports end at 65535 (if you think 0 as the first).

I would put it somewhere around the 30-60k range. Don’t use 31337, it’s too common :slight_smile: