Page 1 of 1
Restricting SSH login attempts
Posted: 14 Jun 2007, 05:29
by Clive
I've noticed looking at my /var/log/auth.log that some hacking bot has been attempting to gain access to my Bubba via SSH. It hasn't suceeded of course but throws hundreds of login attempts over the space of a few minutes.
Is there a possibility to configure SSH so that it will only allow 3 or 4 wrong password attempts to come from a single IP address before it locks attempts from that IP address /or for a short cooling off period ?
//Clive.
Re: Restricting SSH login attempts
Posted: 14 Jun 2007, 07:13
by sc0rp
Clive wrote:I've noticed looking at my /var/log/auth.log that some hacking bot has been attempting to gain access to my Bubba via SSH. It hasn't suceeded of course but throws hundreds of login attempts over the space of a few minutes.
Is there a possibility to configure SSH so that it will only allow 3 or 4 wrong password attempts to come from a single IP address before it locks attempts from that IP address /or for a short cooling off period ?
//Clive.
Do you run ssh on the default port? How about changing it to something else, like 2222, or you have already done this?
Anyway here's how to change the default port:
edit the port number should be on the first lines of that file to what ever you want (e.g. 2222), then restart the service:
This should reduce the login attempts anyway
Posted: 14 Jun 2007, 08:25
by Clive
Thanks, I may investigate doing this, however I normally SSH into my Bubba via my companies firewall. Port 23 is open but I will have to check if the others are first.
Posted: 14 Jun 2007, 08:38
by Jocke
I changed the public port in my router for SSH, after that it's reduced to 0 attempts.
I thought it was easier to change it in the router instead of with sshd_config.
Posted: 14 Jun 2007, 08:45
by sc0rp
Jocke wrote:I changed the public port in my router for SSH, after that it's reduced to 0 attempts.
I thought it was easier to change it in the router instead of with sshd_config.
Sure that's also a good solution
Posted: 14 Jun 2007, 08:54
by Clive
Ahh, that'll work for me. Thanks !
I worry about messing with sshd too much because if I break it, then I've lost all my access.
Posted: 15 Jun 2007, 02:37
by tor
Another way to solve this without messing with sshd is to change ports in your firewall. So that lets say port 2222 externally is forwarded to Bubbas port 22 internally.
This way you still can access Bubba as normal when on the lan. But when accessing from outside you use the 2222 port instead.
/Tor
Posted: 15 Jun 2007, 14:08
by Cheeseboy
It is interesting though to see all the usernames they try to log in with
How does this work really? When successful do they detect that they have hit an existing login, and then they start running through another (or the same) dictionary for the password? Just a username and no password doesn't make a gate-crasher happy....
I use putty for ssh and if I enter an invalid username I still get the password prompt, so how would they notice that they have hit an existing user?
Cheers
/Niklas
Posted: 15 Jun 2007, 18:01
by bjorn
they don't.
Posted: 15 Jun 2007, 18:12
by Cheeseboy
Ah, it makes me feel much better, but still confused. Why bother then?
Posted: 15 Jun 2007, 18:37
by Cheeseboy
Ehrm, sorry for posting that question. Of course they have likely passwords to go with all their login attempts, like oracle/oracle or oracle/manager...
Posted: 30 Jul 2007, 03:59
by Ubi
Why not solve the problem properly and install BlockHosts?
http://freshmeat.net/projects/blockhosts/
Posted: 01 Aug 2007, 16:51
by Cheeseboy
Hi Ubi,
Thanks for that, it looks interesting.
I will check it out when I get some time to install python.
Cheers
Cheeseboy