How do I stop bruteforce SSH login attempt?

email.listen at googlemail.com email.listen at googlemail.com
Wed Apr 12 18:54:58 UTC 2006 

Am Wed, 12. April 2006 13:50 schrieb Chris Peterman:
> On Wednesday 12 April 2006 07:30, Soo-Hyun Choi wrote:
> > Hi,
> >
> > A few days ago, I have noticed that my system is under constant
> > attack(?) with a bruteforce SSH login - e.g., from a single IP
> > address, it tries like 100 ~ 200 ssh login trial with all different
> > user names, and go away.
> >
> > I know how to block it in a FreeBSD system with "denyhost" or
> > "bruteforceblocker" from the ports, but I have little knowledge in my
> > Ubuntu 5.10 box.
> >
> > Would there be anyone who could tell me something about it?
> >
> > Thank you.
> > Soo-Hyun
>
> Just add "ALL: <offending IP Address>" to /etc/hosts.deny. Also HowtoForge
> has a nice little DenyHosts script that takes care of these so-called
> Dictionary Attacks

Plus, add only allowed hosts to /etc/hosts.allow

- Also 'man ssh_config' will give more information how to restrict ssh access 
to a machine. Have at least a look to the options 'CheckHostIP' 
and 'ConnectionAttempts'.


- A good tool to have some kind of dynamic handling of such attacks is 
portsentry. Portsentry listens on ports defined in /etc/portsentry.conf and 
is able to add iptables rules to block suspicious attackers. 
E.G:
---8<---
# iptables support for Linux
#KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"
#
# iptables support for Linux with limit and LOG support. Logs only
# a limited number of packets to avoid a denial of service attack.
 KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP && /sbin/iptables -I 
INPUT -s $TARGET$ -m limit --limit 3/minute --limit-burst 5 -j 
LOG --log-level DEBUG --log-prefix 'Portsentry: dropping: '"
---8<---

- What I would suggest if you are are familiar with administration is 
installing and configuring xinetd instead of inetd.
xinetd is an replacement for the old inetd and allows to bind services to 
ip-addresses, e.g. to local addresses only and to restrict the acces to 
allowed ip-netmasks, eg. your local net. 
So xinetd is a good way to offer services only on the local net and not in the 
wild and evil internet and to restrict the acces to it.

---8<--- from /etc/xinetd.conf ---8<---
service ssh
{
       port = 22
       #the ip 192.168.10.5 is my local-net nic
       bind = 192.168.10.5
       socket_type = stream
       protocol = tcp
       user = templin
       group = users
       type = INTERNAL UNLISTED
       wait = no
       instances = 4
       # access restricted to my local-net only
       only_from = 192.168.10.0
}
---8<---

- Also a good book about Linux/Unix network security may be a good investment, 
if you read it of course the investment alone will not majke it. ;-)
Over all I have to say that network security is one of the most interesting 
and dynamic fields in ITC, at least as interesting as GNU/Linux and Free 
Software. :))



regards,
Thomas

More information about the ubuntu-users mailing list