Help with SSH issue

Discussion in 'Suggest HOWTO' started by seshperankh, Aug 30, 2009.

  1. seshperankh

    seshperankh New Member

    Hi. I am hoping someone can write a how to for this or point me in the right direction.

    My boss wants me to setup something with SSHD so that when someone tries to login 5 times and fails, it blocks their IP.

    I would like to do this without multiple patches or addons.. I will have to do this to 6 servers with diff Linux distros.
     
  2. martinfst

    martinfst HowtoForge Supporter

  3. jon

    jon HowtoForge Supporter

    I use fail2ban for that, it's a simple python script that takes care of that for you. Although if it's not available for all distros you have, the deny hosts idea would be great
     
  4. id10t

    id10t Member

    Code:
        iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m sshbrute --set 
    
        iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m sshbrute --update --seconds 60 --hitcount 4 -j DROP
    
    Something like this should drop connections if they've made 4 unsuccessful attempts in the last 60 seconds...
     
  5. dipeshmehta

    dipeshmehta New Member

    I get following error:
    Code:
    root@server:~# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m sshbrute --set
    iptables v1.3.8: Couldn't load match `sshbrute':/lib/iptables/libipt_sshbrute.so: cannot open shared object file: No such file or directory
    Dipesh
     
  6. Leszek

    Leszek New Member

    I recommend Denyhosts and Fail2Ban.You should pick only one.
    Check if it will not interfere with any other software You are using.
    For DenyHosts Your sshd should be compiled with tcpwrappers support (most are;also binary versions). It is an application level lock while Fail2Ban uses IPTables (also present in most distributions) which can lock out an ip address on a network level. It looks like both could be used at once but I only use DenyHosts. Seems to do the job well. Be sure to set ips that will never get banned to avoid locking out Yourself.
     
  7. seshperankh

    seshperankh New Member

    :D

    I appreciate the answer id10t. Unfortunately I get the same error as dipeshmehta.
    I will have to look at this more to figure out the best way to do this. Now that I have a way to go I can atleast research it.

    thanks

    Leszek, I would love to try one of those, but the boss doesnt want to go that route.
     
  8. id10t

    id10t Member

    Found that by googling for a iptables primer... sorry it doesn't work as advertised. But as you said, it may give you a good starting point.
     
  9. Leszek

    Leszek New Member

    I know what You mean. Same here (sometimes) ;)
     
  10. matey

    matey New Member

    btw this is a cool command to get the intruders IPs from /var/log/auth.log
    then put them in the /etc/hosts.deny file;
    I made a script out of it by chmod and run it;


    I had problem with this line but I leave it for those who know what they are doing lol; #grep 'Failed password' /var/log/auth.log|cut -d ']' --fields=2|cut -d ' ' --fields=9|uniq -c|sort -nr > ct-result.txt

    this 1 works for me, well sort of cuz it is hard to tell which column the IP address is registered in? 13? or 14? or??

    grep 'from' /var/log/auth.log|cut -d ' ' --field=13|uniq -c|sort -nr > ct-result.txt

    then I give it 2 second to write the results in a text file
    sleep 2
    cat ct-result.txt |more

    I copy all the intruders IPs and paste them into /etc/hosts.deny file.

    the following is a note to myself;
    #To get a line number use sed like if you want line 40 of a file called file-1 do:
    # sed '40q;d' file-1
    #or use awk 'NR==40 {print;exit}' file-1

    IF Anyone can make it better please post it here.

    thanks!
     
  11. martinfst

    martinfst HowtoForge Supporter

    For abusive login detection, there's a standard tool called 'denyhosts', installable directly from most repositories.
     

Share This Page