[TriLUG] Failed logins

Jason Faulkner jasonlf at gmail.com
Fri Sep 2 13:55:00 EDT 2005 

Hah, time for me to rival Aaron in response length.
 SSHd failed logins are *very* *very* common. Here are a few things you can 
do to protect yourself.
 1) Run sshd on a strange port (I used 1022 for a while), while this doesn't 
prevent true hacking attempts (they'll use nmap), this'll help reduce the 
bot logins, in fact, this was the ONLY solution I had to use.
 2) Use iptables to block ips who hammer with bad passwords. Here's a script 
I've seen reccomended:
 (script coming, based on the skel script from debian)
 
#! /bin/sh 
# 
# ssh-bruteforce 
# 
# Author: Michael Greb <michael at thegrebs.com>. 
# 
# Version: @(#)ssh-bruteforce 1.0 26-Mar-2005 
# 

set -e 

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 
DESC="iptables for ssh brute force mitigation" 
NAME=ssh-bruteforce 
SCRIPTNAME=/etc/init.d/$NAME 


# 
# Function that starts the daemon/service. 
# 
d_start() { 
iptables -N SSH_WHITELIST 
iptables -A SSH_WHITELIST -s 70.187.46.105 <http://70.187.46.105> -m recent 
--remove --name SSH -j ACCEPT 
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set 
--name SSH 
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST 
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update 
\ 
--seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix 
SSH_brute_force 
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update 
\ 
--seconds 60 --hitcount 4 --rttl --name SSH -j DROP 
} 

case "$1" in 
start) 
echo -n "Starting $DESC: $NAME" 
d_start 
echo "." 
;; 

*) 
# echo "Usage: $SCRIPTNAME {start}" >&2 
echo "Usage: $SCRIPTNAME {start}" >&2 
exit 1 
;; 
esac 

exit 0 
 (endscript)
 Take this line: iptables -A SSH_WHITELIST -s
70.187.46.105<http://70.187.46.105>-m recent --remove --name SSH -j
ACCEPT
 and edit it to match your current IP, and duplicate it if you want more 
whitelisted.
 3) You can use pubkey authentication only. This disables passwords, and 
only allows clients which have the pubkey file to connect. This is good if 
you only connect from one box, or use a USB key personalized putty/sshd.
 
More information can be found at the linode forums, here 
http://www.linode.com/forums/viewtopic.php?t=1157
 Okay. That's my longest post ever. Woo!


-- 
Jason Faulkner 
------------------------
OldOs.org Owner/Admin / http://oldos.org / jason at oldos.org
------------------------
Certified INGOTS Gold Assessor Trainer / http://www.theingots.org
------------------------
OpenOffice.org Marketing Volunteer / jlfaulkn at openoffice.org

More information about the TriLUG mailing list