<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.6.2">
</HEAD>
<BODY>
Russ,<BR>
<BR>
I've configured sshd on a couple of servers to run with xinetd, and in the configuration for the service you can specify what IP addresses can make connections. Not sure about your suggestion of locking out after so many failed attempts, but here's an example of my sshd config. This file is /etc/xinetd.d/sshd. The only_from entry is a space separated lists of IP addresses, or ranges.<BR>
<BR>
service ssh<BR>
{<BR>
protocol = tcp<BR>
socket_type = stream<BR>
wait = no<BR>
user = root<BR>
server = /usr/sbin/sshd<BR>
port = 22<BR>
server_args = -i<BR>
instances = 30<BR>
only_from = 127.0.0.1<BR>
log_on_failure = ATTEMPT HOST USERID<BR>
}<BR>
<BR>
<BR>
Hope this helps!<BR>
<BR>
Shawn Maceno<BR>
<BR>
On Fri, 2005-07-15 at 07:46 -0400, Russ Schneider wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE>
<FONT COLOR="#000000">Occasionally, I get someone trying to break in via ssh, just hammering </FONT>
<FONT COLOR="#000000">away, I'm assuming just trying to guess passwords automatically.</FONT>
<FONT COLOR="#000000">Example: <A HREF="http://www.sugapablo.net/docs/script-02.txt">http://www.sugapablo.net/docs/script-02.txt</A></FONT>
<FONT COLOR="#000000">I have a firewall, ssh is one of the few open ports. The firewall </FONT>
<FONT COLOR="#000000">(Netgear) does not let me block IP addresses or IP ranges.</FONT>
<FONT COLOR="#000000">I did notice that in sshd_config, root was allowed to login. I just</FONT>
<FONT COLOR="#000000">turned that off.</FONT>
<FONT COLOR="#000000">Luckily, no one has gotten in with this kind of attempt yet. But I was </FONT>
<FONT COLOR="#000000">wondering if there were any further measures I could take to make sure it </FONT>
<FONT COLOR="#000000">never happens.</FONT>
<FONT COLOR="#000000">Ideally, I would think there would/should be some kind of measure I could</FONT>
<FONT COLOR="#000000">take where if an IP address made X number of attempts to login and failed</FONT>
<FONT COLOR="#000000">in a Y hour period, that IP address would be blocked from further login</FONT>
<FONT COLOR="#000000">attempts.</FONT>
<FONT COLOR="#000000">Any such thing available/possible?</FONT>
<FONT COLOR="#000000">Any other suggestions to futher tighten things down? What about other </FONT>
<FONT COLOR="#000000">users in the system like http, mysql, ftp, etc? I *assume* that since </FONT>
<FONT COLOR="#000000">these users don't have (at least I don't think so) passwords associated </FONT>
<FONT COLOR="#000000">with them and sshd_config will only allow users with passwords to login </FONT>
<FONT COLOR="#000000">that they can't login. (But I could be wrong.)</FONT>
</PRE>
</BLOCKQUOTE>
</BODY>
</HTML>