LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] Breakins attempted - advice please

[ILUG] Breakins attempted - advice please

Kevin Philp kevin at cybercolloids.net
Wed Aug 27 12:37:45 IST 2008 

You will get this regularly with SSH - we get it about twice a day. Its 
a brute force attack - they run a program to guess your login details.

There are various programs to block SSH denial of service attacks but 
you can use iptables -  basically if you try to connect to port 22 more 
than X times in Y minutes you get blocked and you can set the blocking 
time - we use 10 minutes but you can use whatever. The links point to a 
couple of articles but google for "iptables ssh brute force" and there 
are loads. We have used iptables to block SSH brute force for a couple 
of years and it works very well.

http://la-samhna.de/library/brutessh.html
http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/

Kevin.


Paul Mullen wrote:
> Hi John,
>
> John Kinsella wrote:
>> Hi,
>> no flames please!
>>
>> I'm being regularly subjected to what appear to auth.log (and me) to 
>> be attempted breakins on my office desktop machine (Ubuntu Hearty 
>> Heron with Firestarter firewall)
>> e.g.
>>
>> ==============8<===========
>> Aug 27 11:56:18 jkcray sshd[15664]: pam_unix(sshd:auth): 
>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
>> rhost=200.78.212.68  user=root
>> Aug 27 11:56:20 jkcray sshd[15664]: Failed password for root from 
>> 200.78.212.68 port 34256 ssh2
>> Aug 27 11:56:22 jkcray sshd[15666]: reverse mapping checking 
>> getaddrinfo for na-200-78-212-68.na.avantel.net.mx [200.78.212.68] 
>> failed - POSSIBLE BREAK-IN ATTEMPT!
>> Aug 27 11:56:22 jkcray sshd[15666]: Invalid user magazine from 
>> 200.78.212.68
>> Aug 27 11:56:22 jkcray sshd[15666]: pam_unix(sshd:auth): check pass; 
>> user unknown
>> Aug 27 11:56:22 jkcray sshd[15666]: pam_unix(sshd:auth): 
>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
>> rhost=200.78.212.68
>> Aug 27 11:56:24 jkcray sshd[15666]: Failed password for invalid user 
>> magazine from 200.78.212.68 port 34486 ssh2
>> ==============8<===========
>>
>> I'd like to keep sshd running so I can log in from home.
>>
>> Other than changine firewall settings to block all but my ISP's IP 
>> addresses for access via ssh is there anything else that I should be 
>> looking at?
> I'd look at fail2ban or hostdeny which will add a firewall rule after 
> a configurable number of failed login attempts from a host. Also only 
> use passphrase protected ssh keys to log into your box and turn off 
> password auth.
>>
>> Thanks
>>
>> John
>>
>
>
> Paul.

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell