Hello,
I have an SSH server setup on my machine. For security reasons, I have disabled keyboard authentication and have allowed only key based authentication. I have also installed a program called DenyHosts which is a Python program that is supposed to block failed SSH login attempts. It has added a few IP addresses to my /etc/hosts.deny file. I’m not 100% sure if it’s working or not. The IP addresses that are listed in /etc/hosts.deny still are able to connect t my machine. I see brute-force type attacks going on…this worries me, even though they can’t get in. There are a LOT!! of these, all from the same IP address.
Here’s a sample of the log file:
...
2015-06-22T16:59:32.544648-04:00 linux-lz5i sshd[8744]: User root from 104.236.196.56 not allowed because not listed in AllowUsers
2015-06-22T16:59:32.545272-04:00 linux-lz5i sshd[8744]: input_userauth_request: invalid user root [preauth]
2015-06-22T16:59:32.580041-04:00 linux-lz5i sshd[8744]: Received disconnect from 104.236.196.56: 11: Bye Bye [preauth]
2015-06-22T16:59:33.229593-04:00 linux-lz5i sshd[8746]: User root from 104.236.196.56 not allowed because not listed in AllowUsers
2015-06-22T16:59:33.230238-04:00 linux-lz5i sshd[8746]: input_userauth_request: invalid user root [preauth]
2015-06-22T16:59:33.261910-04:00 linux-lz5i sshd[8746]: Received disconnect from 104.236.196.56: 11: Bye Bye [preauth]
2015-06-22T16:59:33.575300-04:00 linux-lz5i sshd[8748]: User root from 104.236.196.56 not allowed because not listed in AllowUsers
...
I just rotated the log and it’s already 541k from this guy. DenyHosts added him to the /etc/hosts.deny file. I’m thinking the /etc/hosts.deny file just prevents the IP from logging in, not connecting to my system. Is there any easy way to automatically make IP addresses that try to connect unsuccessfully to my system more than once within, lets say, 30 minutes, get banned permanently? So when they tried to connect, it appears that my machine just completely vanished from the face of the earth? Just not for that port, but ALL of my ports? Any help would be greatly appreciated.
Thank you.
P.S. - I was thinking maybe an iptables rule? Perhaps I could modify the denyhosts so instead of adding IPs to a /etc/hosts, it could add them to an /etc/blacklists file and my iptables could read from that file or maybe I could modify it so it runs the iptables rule automatically to block the users?