Restricting SSH login attempts

Got problems with Bubba? Then this forum is for you.
Locked
Clive
Posts: 144
Joined: 07 Mar 2007, 07:15

Restricting SSH login attempts

Post by Clive » 14 Jun 2007, 05:29

I've noticed looking at my /var/log/auth.log that some hacking bot has been attempting to gain access to my Bubba via SSH. It hasn't suceeded of course but throws hundreds of login attempts over the space of a few minutes.

Is there a possibility to configure SSH so that it will only allow 3 or 4 wrong password attempts to come from a single IP address before it locks attempts from that IP address /or for a short cooling off period ?

//Clive.

sc0rp
Posts: 11
Joined: 25 Apr 2007, 02:38
Location: Lund

Re: Restricting SSH login attempts

Post by sc0rp » 14 Jun 2007, 07:13

Clive wrote:I've noticed looking at my /var/log/auth.log that some hacking bot has been attempting to gain access to my Bubba via SSH. It hasn't suceeded of course but throws hundreds of login attempts over the space of a few minutes.

Is there a possibility to configure SSH so that it will only allow 3 or 4 wrong password attempts to come from a single IP address before it locks attempts from that IP address /or for a short cooling off period ?

//Clive.
Do you run ssh on the default port? How about changing it to something else, like 2222, or you have already done this?

Anyway here's how to change the default port:

Code: Select all

sudo nano /etc/ssh/sshd_config 
edit the port number should be on the first lines of that file to what ever you want (e.g. 2222), then restart the service:

Code: Select all

sudo /etc/init.d/ssh restart
This should reduce the login attempts anyway

Clive
Posts: 144
Joined: 07 Mar 2007, 07:15

Post by Clive » 14 Jun 2007, 08:25

Thanks, I may investigate doing this, however I normally SSH into my Bubba via my companies firewall. Port 23 is open but I will have to check if the others are first.

Jocke
Posts: 13
Joined: 05 Jan 2007, 14:09
Location: Lund, Sweden

Post by Jocke » 14 Jun 2007, 08:38

I changed the public port in my router for SSH, after that it's reduced to 0 attempts.

I thought it was easier to change it in the router instead of with sshd_config.

sc0rp
Posts: 11
Joined: 25 Apr 2007, 02:38
Location: Lund

Post by sc0rp » 14 Jun 2007, 08:45

Jocke wrote:I changed the public port in my router for SSH, after that it's reduced to 0 attempts.

I thought it was easier to change it in the router instead of with sshd_config.
Sure that's also a good solution

Clive
Posts: 144
Joined: 07 Mar 2007, 07:15

Post by Clive » 14 Jun 2007, 08:54

Ahh, that'll work for me. Thanks !

I worry about messing with sshd too much because if I break it, then I've lost all my access.

tor
Posts: 703
Joined: 06 Dec 2006, 12:24
Contact:

Post by tor » 15 Jun 2007, 02:37

Another way to solve this without messing with sshd is to change ports in your firewall. So that lets say port 2222 externally is forwarded to Bubbas port 22 internally.

This way you still can access Bubba as normal when on the lan. But when accessing from outside you use the 2222 port instead.

/Tor
Co-founder OpenProducts and Ex Excito Developer

Cheeseboy
Posts: 789
Joined: 08 Apr 2007, 12:16

Post by Cheeseboy » 15 Jun 2007, 14:08

It is interesting though to see all the usernames they try to log in with :-)

How does this work really? When successful do they detect that they have hit an existing login, and then they start running through another (or the same) dictionary for the password? Just a username and no password doesn't make a gate-crasher happy....

I use putty for ssh and if I enter an invalid username I still get the password prompt, so how would they notice that they have hit an existing user?

Cheers

/Niklas

bjorn
Posts: 88
Joined: 03 Jan 2007, 09:02

Post by bjorn » 15 Jun 2007, 18:01

they don't. :)

Cheeseboy
Posts: 789
Joined: 08 Apr 2007, 12:16

Post by Cheeseboy » 15 Jun 2007, 18:12

Ah, it makes me feel much better, but still confused. Why bother then?

Cheeseboy
Posts: 789
Joined: 08 Apr 2007, 12:16

Post by Cheeseboy » 15 Jun 2007, 18:37

Ehrm, sorry for posting that question. Of course they have likely passwords to go with all their login attempts, like oracle/oracle or oracle/manager...

Ubi
Posts: 1547
Joined: 17 Jul 2007, 09:01

Post by Ubi » 30 Jul 2007, 03:59

Why not solve the problem properly and install BlockHosts?

http://freshmeat.net/projects/blockhosts/

Cheeseboy
Posts: 789
Joined: 08 Apr 2007, 12:16

Post by Cheeseboy » 01 Aug 2007, 16:51

Hi Ubi,

Thanks for that, it looks interesting.
I will check it out when I get some time to install python.

Cheers

Cheeseboy

Locked