Help blocking failed SSH login attempts...

On 2015-06-23 19:56, Spork Schivago wrote:

> I had the port set to something like 200, it’d take a portscanner an
> extremely long time to get that high because of the 3 minute wait per
> failed attempt…

The “recent” rule detects attempts on one port. If they hit the next,
the rule does nothing. To detect portscans you need other techniques.
You could use both things, of course.

However, dedicated, malign, scanners would do perhaps a port per minute,
scanning all ports in a range, randomly, so they are difficult to
detect. But it could scan a thousand hosts simultaneously.


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

Thanks everyone! I now have it setup where it blocks, after three failed attempts, for one year. I ended up going for a mix between the SuSEFirewall fix and the fail2ban program. The SuSE Firewall, albeit almost what I wanted, didn’t quite get me there. The nice thing about the fail2ban, I can customize it to send me an e-mail or a text message if need be. I like that. It’s a bit harder to configure, in my opinion, but it seems real powerful. I tested it by trying to connect with a username. I can try, unsuccessfully, 3 times, and then bam! My PC just magically vanishes.

Spork Schivgo

On 2015-06-23 23:56, Spork Schivago wrote:

> with a username. I can try, unsuccessfully, 3 times, and then bam! My
> PC just magically vanishes.

Check that you can also connect, successfully, four times.


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

Good call Carlos. I did check that though as well. After I figured out how to unban myself. See, I didn’t realize that when the rule was added to the iptables, it was also going to kill my current successful connections. Once I found out how to undo the damage (I had to remove stuff from the log files and restart the firewall), I was able to successfully connect 5 times successfully (real quick like).