Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Suggest HOWTO

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 30th August 2009, 20:43
seshperankh seshperankh is offline
Junior Member
 
Join Date: Aug 2009
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default Help with SSH issue

Hi. I am hoping someone can write a how to for this or point me in the right direction.

My boss wants me to setup something with SSHD so that when someone tries to login 5 times and fails, it blocks their IP.

I would like to do this without multiple patches or addons.. I will have to do this to 6 servers with diff Linux distros.
Reply With Quote
Sponsored Links
  #2  
Old 30th August 2009, 20:50
martinfst martinfst is offline
Senior Member
 
Join Date: Dec 2006
Location: Hilversum, The Netherlands
Posts: 880
Thanks: 1
Thanked 18 Times in 17 Posts
Send a message via MSN to martinfst Send a message via Skype™ to martinfst
Default

Have a look at the package 'denyhosts'. It's available for various systems/distributions as a standard package.

http://denyhosts.sourceforge.net/
Reply With Quote
  #3  
Old 30th August 2009, 21:57
jon jon is offline
Member
 
Join Date: Jan 2007
Location: Canada
Posts: 78
Thanks: 11
Thanked 4 Times in 4 Posts
Send a message via Skype™ to jon
Default

I use fail2ban for that, it's a simple python script that takes care of that for you. Although if it's not available for all distros you have, the deny hosts idea would be great
Reply With Quote
  #4  
Old 31st August 2009, 17:29
id10t id10t is offline
Senior Member
 
Join Date: Nov 2008
Posts: 237
Thanks: 2
Thanked 22 Times in 22 Posts
Default

Code:
    iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m sshbrute --set 

    iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m sshbrute --update --seconds 60 --hitcount 4 -j DROP
Something like this should drop connections if they've made 4 unsuccessful attempts in the last 60 seconds...
Reply With Quote
  #5  
Old 1st September 2009, 08:13
dipeshmehta dipeshmehta is offline
Senior Member
 
Join Date: Nov 2008
Location: Rajkot, India
Posts: 173
Thanks: 5
Thanked 12 Times in 12 Posts
Send a message via Yahoo to dipeshmehta Send a message via Skype™ to dipeshmehta
Default

I get following error:
Code:
root@server:~# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m sshbrute --set
iptables v1.3.8: Couldn't load match `sshbrute':/lib/iptables/libipt_sshbrute.so: cannot open shared object file: No such file or directory
Dipesh
Reply With Quote
  #6  
Old 1st September 2009, 10:20
Leszek Leszek is offline
Senior Member
 
Join Date: Nov 2006
Location: Poland,Włocławek
Posts: 369
Thanks: 22
Thanked 41 Times in 35 Posts
Send a message via Skype™ to Leszek
Default

I recommend Denyhosts and Fail2Ban.You should pick only one.
Check if it will not interfere with any other software You are using.
For DenyHosts Your sshd should be compiled with tcpwrappers support (most are;also binary versions). It is an application level lock while Fail2Ban uses IPTables (also present in most distributions) which can lock out an ip address on a network level. It looks like both could be used at once but I only use DenyHosts. Seems to do the job well. Be sure to set ips that will never get banned to avoid locking out Yourself.
Reply With Quote
  #7  
Old 14th September 2009, 17:28
seshperankh seshperankh is offline
Junior Member
 
Join Date: Aug 2009
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by id10t View Post
Code:
    iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m sshbrute --set 

    iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m sshbrute --update --seconds 60 --hitcount 4 -j DROP
Something like this should drop connections if they've made 4 unsuccessful attempts in the last 60 seconds...


I appreciate the answer id10t. Unfortunately I get the same error as dipeshmehta.
I will have to look at this more to figure out the best way to do this. Now that I have a way to go I can atleast research it.

thanks

Leszek, I would love to try one of those, but the boss doesnt want to go that route.
Reply With Quote
  #8  
Old 14th September 2009, 20:58
id10t id10t is offline
Senior Member
 
Join Date: Nov 2008
Posts: 237
Thanks: 2
Thanked 22 Times in 22 Posts
Default

Found that by googling for a iptables primer... sorry it doesn't work as advertised. But as you said, it may give you a good starting point.
Reply With Quote
  #9  
Old 14th September 2009, 22:50
Leszek Leszek is offline
Senior Member
 
Join Date: Nov 2006
Location: Poland,Włocławek
Posts: 369
Thanks: 22
Thanked 41 Times in 35 Posts
Send a message via Skype™ to Leszek
Default

Quote:
Originally Posted by seshperankh View Post

Leszek, I would love to try one of those, but the boss doesnt want to go that route.
I know what You mean. Same here (sometimes)
Reply With Quote
  #10  
Old 26th October 2009, 18:24
matey matey is offline
Member
 
Join Date: Feb 2009
Posts: 93
Thanks: 13
Thanked 3 Times in 3 Posts
 
Default

btw this is a cool command to get the intruders IPs from /var/log/auth.log
then put them in the /etc/hosts.deny file;
I made a script out of it by chmod and run it;


I had problem with this line but I leave it for those who know what they are doing lol; #grep 'Failed password' /var/log/auth.log|cut -d ']' --fields=2|cut -d ' ' --fields=9|uniq -c|sort -nr > ct-result.txt

this 1 works for me, well sort of cuz it is hard to tell which column the IP address is registered in? 13? or 14? or??

grep 'from' /var/log/auth.log|cut -d ' ' --field=13|uniq -c|sort -nr > ct-result.txt

then I give it 2 second to write the results in a text file
sleep 2
cat ct-result.txt |more

I copy all the intruders IPs and paste them into /etc/hosts.deny file.

the following is a note to myself;
#To get a line number use sed like if you want line 40 of a file called file-1 do:
# sed '40q;d' file-1
#or use awk 'NR==40 {print;exit}' file-1

IF Anyone can make it better please post it here.

thanks!
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
just dl'd + installed ubuntu 8 server... concerned about recent ssh security issue zskillz Installation/Configuration 4 27th December 2009 15:22
IPTables-Blocklist (Questions) giganet HOWTO-Related Questions 10 28th October 2009 16:09
ssh stop answering requests mdk Server Operation 7 20th January 2009 19:56
SSH DIED - Virtual Users And Domains With Postfix, Courier And MySQL herbie HOWTO-Related Questions 2 12th December 2006 02:16
SSH port forwarding (SQLYog Tunnel) mastorna Server Operation 0 22nd June 2006 01:16


All times are GMT +2. The time now is 16:33.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.