SSH Scans Lockout

I don't know about anybody else but I'm getting a lot of SSH scanning attempts appearing in the logs on my linode. Whilst this isn't a problem as such, with root ssh disabled and only 1 account allowed to login, it's getting annoying with pages of log entries showing failed attempts using "admin/password", "root/password" etc.

What I'm looking to do is add any host that has 3 login attempts to hosts.deny and cut down on that logs that are created. Apparantly this is easy to do with Free BSD though I've never heard of it being done on Linux (Debian incidentally).

Anybody have any suggestions?

14 Replies

The easiest way is probably to have a script that tails the logs and adds to the hosts.deny itself. I'm not quite sure of the details though. One variant on that idea would be to have a continuous process that runs tail -f on it and uses that. It wouldn't miss anything, but it would need to run as root, or have some means of getting root. Besides, I'm not sure what the performance issues with that would be.

I don't offhand know of any other ways, unless you look into some sort of IDS program. I've never fiddled with them myself so I don't know how you would get them working on Linux either.

Hope this helps.

I also noticed a lot of those scans in my logs (interestingly, the username 'patrick' seems to be tried quite often, as well as 'guest', 'admin', 'root', etc.) and modified my firewall to ignore ssh connection attempts after the 3rd within 60 seconds from any one ip. It's not exactly what you wanted to do, but has some of the same effect. More details are in the thread:

http://www.linode.com/forums/viewtopic.php?t=1240

Since I'm the only person using my Linode, I don't install SSH at all.

Instead I log in throught the host-server (i.e.hostXX.linode.com) and use the actual console.

I too have noticed ssh login attempts that are not mine. What I've done is edited my /etc/ssh/sshd_config file appropriately, most importantly disallowing remote root login. It may also be wise to put up a login banner to alert hackers that they can be prosecuted for their actions.

@Ciaran:

The easiest way is probably to have a script that tails the logs and adds to the hosts.deny itself.

Or instead of adding the ip to hosts.deny (which clues the user in that he's been denied and just causes him to continue his mischief from a different host), go ahead and give him a root shell. Not a real one, just make it look real enough to waste his time. When he realizes there's nothing worth looking at and that the system is broken enough that it's not worth the time to break in ("why do ps and top always segfault?"), he'll go away and bother someone else.

@cout:

@Ciaran:

The easiest way is probably to have a script that tails the logs and adds to the hosts.deny itself.

Or instead of adding the ip to hosts.deny (which clues the user in that he's been denied and just causes him to continue his mischief from a different host), go ahead and give him a root shell. Not a real one, just make it look real enough to waste his time. When he realizes there's nothing worth looking at and that the system is broken enough that it's not worth the time to break in ("why do ps and top always segfault?"), he'll go away and bother someone else.

This sounds like it has the potential to tick a hacker off, which may make him try to "get even". He'll see a challenge and continue to dig. hosts.deny sounds like the better option between the two, as all its doing is denying access (sorta similar to a firewall). If he sees that he's being denied and tries to use another IP, that one will be blocked also, after 3 tries.

mayby we can ask caker to install a honey pot we can send all of our mischeff makers too.

I wonder if Chris is a whitehat or a blackhat?

:twisted:

How about configure hosts.allow/hosts.deny to deny SSH traffic for all but a couple of (or block of) IP addresses?

An alternative is to simply block the SSH port in the firewall and only open it for users who know the secret port knocking sequence (who then proceed to login as normal). That way it will look like you don't even run an SSH server on the box.

@cederberg:

An alternative is to simply block the SSH port in the firewall and only open it for users who know the secret port knocking sequence (who then proceed to login as normal). That way it will look like you don't even run an SSH server on the box.

OOOO….

I'm gonna check that one out!

Or do like me, and just SSH using a nonstandard port, it's one line in the sshd_config, and you lose all the bot login attempts

My ssh client happens to use protocol version 1. Just for heck of it I added the line "protocol 1" to the sshd_config file. Sure enough, once or twice a day the following line appears in /var/log/secure similar to:

Protocol major versions differ for ::ffff:211.184.84.128: SSH-1.5-OpenSSH_3.5p1 vs. SSH-2.0-libssh-0.1

BTW, the only difference is the IP address…. the 'SSH-2.0-libssh-0.1' is always there.

Hal Williams

i have had the same but since i changed the port to a non statnard i have not had that problem

Yeah, that's what I did too, I moved SSH to a non-standard port just to reduce the log spammage (especially since I have unexpected log entries mailed to me automatically). I've also considered using iptables to only allow SSH from my known IP ranges, but I like being able to get in from wherever I happen to be.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct