[ILUG] Breakins attempted - advice please

Kevin Philp kevin at cybercolloids.net
Wed Aug 27 12:37:45 IST 2008 

You will get this regularly with SSH - we get it about twice a day. Its 
a brute force attack - they run a program to guess your login details.

There are various programs to block SSH denial of service attacks but 
you can use iptables -  basically if you try to connect to port 22 more 
than X times in Y minutes you get blocked and you can set the blocking 
time - we use 10 minutes but you can use whatever. The links point to a 
couple of articles but google for "iptables ssh brute force" and there 
are loads. We have used iptables to block SSH brute force for a couple 
of years and it works very well.

http://la-samhna.de/library/brutessh.html
http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/

Kevin.


Paul Mullen wrote:
> Hi John,
>
> John Kinsella wrote:
>> Hi,
>> no flames please!
>>
>> I'm being regularly subjected to what appear to auth.log (and me) to 
>> be attempted breakins on my office desktop machine (Ubuntu Hearty 
>> Heron with Firestarter firewall)
>> e.g.
>>
>> ==============8<===========
>> Aug 27 11:56:18 jkcray sshd[15664]: pam_unix(sshd:auth): 
>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
>> rhost=200.78.212.68  user=root
>> Aug 27 11:56:20 jkcray sshd[15664]: Failed password for root from 
>> 200.78.212.68 port 34256 ssh2
>> Aug 27 11:56:22 jkcray sshd[15666]: reverse mapping checking 
>> getaddrinfo for na-200-78-212-68.na.avantel.net.mx [200.78.212.68] 
>> failed - POSSIBLE BREAK-IN ATTEMPT!
>> Aug 27 11:56:22 jkcray sshd[15666]: Invalid user magazine from 
>> 200.78.212.68
>> Aug 27 11:56:22 jkcray sshd[15666]: pam_unix(sshd:auth): check pass; 
>> user unknown
>> Aug 27 11:56:22 jkcray sshd[15666]: pam_unix(sshd:auth): 
>> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
>> rhost=200.78.212.68
>> Aug 27 11:56:24 jkcray sshd[15666]: Failed password for invalid user 
>> magazine from 200.78.212.68 port 34486 ssh2
>> ==============8<===========
>>
>> I'd like to keep sshd running so I can log in from home.
>>
>> Other than changine firewall settings to block all but my ISP's IP 
>> addresses for access via ssh is there anything else that I should be 
>> looking at?
> I'd look at fail2ban or hostdeny which will add a firewall rule after 
> a configurable number of failed login attempts from a host. Also only 
> use passphrase protected ssh keys to log into your box and turn off 
> password auth.
>>
>> Thanks
>>
>> John
>>
>
>
> Paul.

More information about the ILUG mailing list