[gentoo-server] sshd (many connection attempts with invalid user)

[gentoo-server] sshd (many connection attempts with invalid user)

[Claudinei Matos]

Hi,

I have a lot of connection attempts in my ssh server. I've take a look
at sshd_config man pages but I didn't found a way to deny the source
ip of the attempts by 5 minutes (i.e.) if this ip can't login after 5
attempts (i.e.). Is there a way to do this?

Tks,

Claudinei Matos

-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] sshd (many connection attempts with invalid user)

[Dan Noe]

[-- Attachment #1: Type: text/plain, Size: 854 bytes --]

On Fri, May 06, 2005 at 01:47:06PM -0300, Claudinei Matos wrote:
> I have a lot of connection attempts in my ssh server. I've take a look
> at sshd_config man pages but I didn't found a way to deny the source
> ip of the attempts by 5 minutes (i.e.) if this ip can't login after 5
> attempts (i.e.). Is there a way to do this?

Use a perl utility called "sshd_sentry":

http://linuxmafia.com/pub/linux/security/sshd_sentry/

It will allow you to block the hosts which abuse your sshd.
Additionally, please consider mailing abuse@ the sending ISP, especially
if it is in an English speaking country.  Usually they care that one of
their machines is probing for vulnerabilities.

-D

-- 
                    /--------------- - -  -  -   -   -
                   |  Dan Noe, freelance hacker
                   |  http://isomerica.net/

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-server] sshd (many connection attempts with invalid user)

[Kirk Hoganson]

It could be done using iptables, but I am not aware of such 
functionality within the sshd itself.

Kirk

Claudinei Matos said the following:
> Hi,
> 
> I have a lot of connection attempts in my ssh server. I've take a look
> at sshd_config man pages but I didn't found a way to deny the source
> ip of the attempts by 5 minutes (i.e.) if this ip can't login after 5
> attempts (i.e.). Is there a way to do this?
> 
> Tks,
> 
> Claudinei Matos
> 
-- 
gentoo-server@gentoo.org mailing list

RE: [gentoo-server] sshd (many connection attempts with invalid user)

[radu herinean]

There's a much better way to protect yourself. Install a firewall and
deny access to that ip address. More than that, if you are on a static
IP when you connect (or more, but known addresses) simply deny from all
ip and allow ssh port only to those that you can trust (yours). Even
more, change the ssh server port to something very different.
If you are not familiar with firewalls you could install webmin (emerge
webmin) and do it from there, eventually via shorewall (emerge
shorewall). Don't forget to secure the webmin server as well (same as
for sshd) after your firewall is up and running.
Also, be very carefull when installing the firewall for the first time
if you don't have phisical access to the server. You don't want to lock
yourself out by mistake. Eventually you could not add your firewall to
your startup list until you are sure it's all ok and if you accidentally
mess up you can call your provider and ask for a reboot ;)
I am surfing here, and I got far from the subject. Let us know if it
helps.
Radu

-----Original Message-----
From: Claudinei Matos [mailto:claudineimatos@gmail.com] 
Sent: 6 mai 2005 19:47
To: gentoo-server@lists.gentoo.org
Subject: [gentoo-server] sshd (many connection attempts with invalid
user)


Hi,

I have a lot of connection attempts in my ssh server. I've take a look
at sshd_config man pages but I didn't found a way to deny the source
ip of the attempts by 5 minutes (i.e.) if this ip can't login after 5
attempts (i.e.). Is there a way to do this?

Tks,

Claudinei Matos

-- 
gentoo-server@gentoo.org mailing list


-- 
gentoo-server@gentoo.org mailing list

RE: [gentoo-server] sshd (many connection attempts with invalid u ser)

[Old, Gregory]

Claudinei,

I have seen the same issue with SSH attempts, what I did was I changed my
default port to a non-standard port.  This eliminated the problem for me.
You can change the port setting in the sshd_config file and then restart the
daemons.

Thanks,
Greg Old


-----Original Message-----
From: Kirk Hoganson [mailto:kirk2@lenderlab.com] 
Sent: Friday, May 06, 2005 12:56 PM
To: gentoo-server@lists.gentoo.org
Subject: Re: [gentoo-server] sshd (many connection attempts with invalid
user)

It could be done using iptables, but I am not aware of such 
functionality within the sshd itself.

Kirk

Claudinei Matos said the following:
> Hi,
> 
> I have a lot of connection attempts in my ssh server. I've take a look
> at sshd_config man pages but I didn't found a way to deny the source
> ip of the attempts by 5 minutes (i.e.) if this ip can't login after 5
> attempts (i.e.). Is there a way to do this?
> 
> Tks,
> 
> Claudinei Matos
> 
-- 
gentoo-server@gentoo.org mailing list
-- 
gentoo-server@gentoo.org mailing list

RE: [gentoo-server] sshd (many connection attempts with invalid user)

[Sean Wells]

Also on the forums there's a script called "fail2ban".  It's a python script
and it monitors my logs for failed logins.  I can set the time they're
banned for and how many login attempts to tolerate.

http://fail2ban.sourceforge.net/
http://forums.gentoo.org/viewtopic-t-255103-highlight-fail2ban.html


Sean Wells
Network Administrator
Data Mosaics, Inc.
2406 S. Dishman Mica Rd.  Suite 6
Spokane Valley, WA  99206
866.904.DMSF (phone)
509.928.4236 (fax)
-----Original Message-----
From: Old, Gregory [mailto:GregoryOld@solectron.com] 
Sent: Friday, May 06, 2005 10:23 AM
To: 'gentoo-server@lists.gentoo.org'
Subject: RE: [gentoo-server] sshd (many connection attempts with invalid
user)

Claudinei,

I have seen the same issue with SSH attempts, what I did was I changed my
default port to a non-standard port.  This eliminated the problem for me.
You can change the port setting in the sshd_config file and then restart the
daemons.

Thanks,
Greg Old


-----Original Message-----
From: Kirk Hoganson [mailto:kirk2@lenderlab.com] 
Sent: Friday, May 06, 2005 12:56 PM
To: gentoo-server@lists.gentoo.org
Subject: Re: [gentoo-server] sshd (many connection attempts with invalid
user)

It could be done using iptables, but I am not aware of such 
functionality within the sshd itself.

Kirk

Claudinei Matos said the following:
> Hi,
> 
> I have a lot of connection attempts in my ssh server. I've take a look
> at sshd_config man pages but I didn't found a way to deny the source
> ip of the attempts by 5 minutes (i.e.) if this ip can't login after 5
> attempts (i.e.). Is there a way to do this?
> 
> Tks,
> 
> Claudinei Matos
> 
-- 
gentoo-server@gentoo.org mailing list
-- 
gentoo-server@gentoo.org mailing list

-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] sshd (many connection attempts with invalid user)

[Tim Schumacher]

[-- Attachment #1: Type: text/plain, Size: 563 bytes --]

Hi,

Claudinei Matos schrieb:

> I have a lot of connection attempts in my ssh server. I've take a look
> at sshd_config man pages but I didn't found a way to deny the source
> ip of the attempts by 5 minutes (i.e.) if this ip can't login after 5
> attempts (i.e.). Is there a way to do this?

You may want to try port knocking. The ssh port is blocked fully and you
have to open it through sending a magic packet to a secret port and so
for your IP the ssh port is going to be opened.

More infos can be obtained on http://www.portknocking.org/.

greetings

Tim

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 305 bytes --]

Re: [gentoo-server] sshd (many connection attempts with invalid user)

[Ben Munat]

Dan Noe wrote:
> 
> Use a perl utility called "sshd_sentry":
> 
> http://linuxmafia.com/pub/linux/security/sshd_sentry/


Got a 404 on that url...
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] sshd (many connection attempts with invalid user)

[Pete Ezzo]

On 5/6/05, Ben Munat <bent@munat.com> wrote:
> Dan Noe wrote:
> >
> > Use a perl utility called "sshd_sentry":
> >
> > http://linuxmafia.com/pub/linux/security/sshd_sentry/
> 
> Got a 404 on that url...
> --

http://www.linuxmafia.com/pub/linux/security/sshd_sentry/

www makes a difference

-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] sshd (many connection attempts with invalid user)

[Dan Noe]

[-- Attachment #1: Type: text/plain, Size: 730 bytes --]

On Sat, May 07, 2005 at 01:07:57AM -0500, Pete Ezzo wrote:
> On 5/6/05, Ben Munat <bent@munat.com> wrote:
> > Dan Noe wrote:
> > >
> > > Use a perl utility called "sshd_sentry":
> > >
> > > http://linuxmafia.com/pub/linux/security/sshd_sentry/
> > 
> > Got a 404 on that url...
> > --
> 
> http://www.linuxmafia.com/pub/linux/security/sshd_sentry/
> 
> www makes a difference

You might also want to check out login_sentry, an updated version of
sshd sentry by Jesse Shrieve:

http://www.lumiere.net/~j/login_sentry/

Simple and it works well.

-D


-- 
                    /--------------- - -  -  -   -   -
                   |  Dan Noe, freelance hacker
                   |  http://isomerica.net/

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-server] sshd (many connection attempts with invalid user)

[James Chapman]

[-- Attachment #1: Type: text/plain, Size: 1005 bytes --]

http://forums.gentoo.org/viewtopic-p-2369557-highlight-.html#2369557

On 5/7/05, Dan Noe <dpn@isomerica.net> wrote:
> 
> On Sat, May 07, 2005 at 01:07:57AM -0500, Pete Ezzo wrote:
> > On 5/6/05, Ben Munat <bent@munat.com> wrote:
> > > Dan Noe wrote:
> > > >
> > > > Use a perl utility called "sshd_sentry":
> > > >
> > > > http://linuxmafia.com/pub/linux/security/sshd_sentry/
> > >
> > > Got a 404 on that url...
> > > --
> >
> > http://www.linuxmafia.com/pub/linux/security/sshd_sentry/
> >
> > www makes a difference
> 
> You might also want to check out login_sentry, an updated version of
> sshd sentry by Jesse Shrieve:
> 
> http://www.lumiere.net/~j/login_sentry/
> 
> Simple and it works well.
> 
> -D
> 
> --
> /--------------- - - - - - -
> | Dan Noe, freelance hacker
> | http://isomerica.net/
> 
> 
> 


-- 
James Chapman
+44 787 165 0027
--
XP is the fisher price of operating systems - Simon Frost
Windows: A colourful clown suit for DOS - Unknown

[-- Attachment #2: Type: text/html, Size: 2139 bytes --]

Re: [gentoo-server] sshd (many connection attempts with invalid user)

[Ivan Savcic]

Tim Schumacher wrote:
> You may want to try port knocking. The ssh port is blocked fully and you
> have to open it through sending a magic packet to a secret port and so
> for your IP the ssh port is going to be opened.
> 
> More infos can be obtained on http://www.portknocking.org/.

I completely agree with you. I recommend this solution.

-- 
Ivan "imp" Savcic
GNU/Linux admin
email:  imp at imped dot net
jabber: imp at jabber dot hu
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] sshd (many connection attempts with invalid user)

[Sancho2k.net Lists]

Claudinei Matos wrote:
> Hi,
> 
> I have a lot of connection attempts in my ssh server. I've take a look
> at sshd_config man pages but I didn't found a way to deny the source
> ip of the attempts by 5 minutes (i.e.) if this ip can't login after 5
> attempts (i.e.). Is there a way to do this?

I see the same thing on many of my servers. What's the real issue?

I configure my sshd to only allow public key-based authentication. I use
1024 bit DSA keys and SSHv2 only. They can try brute forcing the box for
centuries if they want, and they won't come any closer to getting in. I
personally don't see a huge point to blocking attacks, but only if
you're set up securely.

Users that allow SSHv1 or allow password auth and use weak passwords,
now that is an issue to worry about, but you've got bigger problems on
your hands.

DS
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] sshd (many connection attempts with invalid user)

[Dan Noe]

[-- Attachment #1: Type: text/plain, Size: 1829 bytes --]

On Tue, May 10, 2005 at 07:33:15PM -0600, Sancho2k.net Lists wrote:
> I configure my sshd to only allow public key-based authentication. I use
> 1024 bit DSA keys and SSHv2 only. They can try brute forcing the box for
> centuries if they want, and they won't come any closer to getting in. I
> personally don't see a huge point to blocking attacks, but only if
> you're set up securely.

Disallowing password authentication isn't something that works for
everyone (along with port knocking, running SSH on an odd port, etc).  I
run a server which allows public access to many people. I try to make
sure passwords are secure and SSHv1 is disabled, but I really can't be
locking down any more severely.

With an automated script, it can cut the attacks short while at the same
time alerting me to the attack.  Why risk it?

> Users that allow SSHv1 or allow password auth and use weak passwords,
> now that is an issue to worry about, but you've got bigger problems on
> your hands.

Primarily my reason for using login_sentry is it emails me when an
attack is occuring.  This provides me with an opportunity to
whois/reverse DNS the name and figure out where the attack is coming
from.  If it is from a US/UK/Likely English Speaking/Likely to Care ISP
I will report it to their abuse desk.

In almost all of these cases the machine in question has been
compromised and is being used by a 3rd party cracker to scan for more
vulnerable boxen (creating botnets).  If you, as an admin, are willing
to spend 5 minutes reporting these attacks you've potentially shut down
zombie boxes and you are doing the administrator and the ISP a huge
favor.

-- 
                    /--------------- - -  -  -   -   -
                   |  Dan Noe, freelance hacker
                   |  http://isomerica.net/

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-server] sshd (many connection attempts with invalid user)

[Sancho2k.net Lists]

Dan Noe wrote:
> On Tue, May 10, 2005 at 07:33:15PM -0600, Sancho2k.net Lists wrote:
> 
>>I configure my sshd to only allow public key-based authentication. I use
>>1024 bit DSA keys and SSHv2 only. They can try brute forcing the box for
>>centuries if they want, and they won't come any closer to getting in. I
>>personally don't see a huge point to blocking attacks, but only if
>>you're set up securely.
> 
> 
> Disallowing password authentication isn't something that works for
> everyone (along with port knocking, running SSH on an odd port, etc).  I
> run a server which allows public access to many people. I try to make
> sure passwords are secure and SSHv1 is disabled, but I really can't be
> locking down any more severely.

Circumstances understood. I think too many people however err towards
laziness in this scenario. Password authentication is terrible - plain
and simple. Passwords are difficult to keep strong. Cracklib helps in
making sure most kinds of weak passwords are caught, but you can
certainly get by it. Besides, with ssh agents available for all popular
platforms, there is no reason that *most* people couldn't use RSA auth
for their SSH servers.

> In almost all of these cases the machine in question has been
> compromised and is being used by a 3rd party cracker to scan for more
> vulnerable boxen (creating botnets).  If you, as an admin, are willing
> to spend 5 minutes reporting these attacks you've potentially shut down
> zombie boxes and you are doing the administrator and the ISP a huge
> favor.

You've obviously had much better luck with abuse@ contacts than I have.
I have found the few that I've tried to be complete wastes of time.

DS
-- 
gentoo-server@gentoo.org mailing list