[wplug] Any tips against this kind of ssh break-in?

Teodorski, Chris teodorski at ppg.com
Fri Jul 15 08:56:06 EDT 2005 

All,

When I was looking into this very thing -- I found several Perl scripts that would do just what Chris described.  In addition they suggested installing knockd (http://www.zeroflux.org/cgi-bin/cvstrac/knock/wiki) just in case you managed to lock yourself out.

Chris

-----Original Message-----
From: wplug-bounces+teodorski=ppg.com at wplug.org [mailto:wplug-bounces+teodorski=ppg.com at wplug.org] On Behalf Of Chris Romano
Sent: Friday, July 15, 2005 8:19 AM
To: General user list
Subject: Re: [wplug] Any tips against this kind of ssh break-in?

On 7/15/05, Russ Schneider <russ at sugapablo.com> wrote:
> Occasionally, I get someone trying to break in via ssh, just hammering
> away, I'm assuming just trying to guess passwords automatically.
> 
> Example: http://www.sugapablo.net/docs/script-02.txt
> 
> I have a firewall, ssh is one of the few open ports.  The firewall
> (Netgear) does not let me block IP addresses or IP ranges.
> 
> I did notice that in sshd_config, root was allowed to login.  I just
> turned that off.
> 
> Luckily, no one has gotten in with this kind of attempt yet.  But I was
> wondering if there were any further measures I could take to make sure it
> never happens.
> 
> Ideally, I would think there would/should be some kind of measure I could
> take where if an IP address made X number of attempts to login and failed
> in a Y hour period, that IP address would be blocked from further login
> attempts.
> 
> Any such thing available/possible?
> 
> Any other suggestions to futher tighten things down?  What about other
> users in the system like http, mysql, ftp, etc?  I *assume* that since
> these users don't have (at least I don't think so) passwords associated
> with them and sshd_config will only allow users with passwords to login
> that they can't login.  (But I could be wrong.)
> 


Just from the top of my head you could probably do something like this.

Write a script to check the log for failed SSH attempts.  Have it look
for X attempts within Y minutes.  If it finds any, have it write an
iptable rule or put the IP in your host.deny file.  Put the script in
cron to run every minute or 5 minutes.

Chris

_______________________________________________
wplug mailing list
wplug at wplug.org
http://www.wplug.org/mailman/listinfo/wplug

More information about the wplug mailing list