New user's registration have been closed due to high spamming and low trafic on this forum. Please contact forum admins directly if you need an account. Thanks !

Restricting SSH login attempts

Got problems with Bubba? Then this forum is for you.
Locked
Clive
Posts: 164
Joined: 07 Mar 2007, 07:15

Restricting SSH login attempts

Post by Clive »

I've noticed looking at my /var/log/auth.log that some hacking bot has been attempting to gain access to my Bubba via SSH. It hasn't suceeded of course but throws hundreds of login attempts over the space of a few minutes.

Is there a possibility to configure SSH so that it will only allow 3 or 4 wrong password attempts to come from a single IP address before it locks attempts from that IP address /or for a short cooling off period ?

//Clive.
sc0rp
Posts: 11
Joined: 25 Apr 2007, 02:38
Location: Lund

Re: Restricting SSH login attempts

Post by sc0rp »

Clive wrote:I've noticed looking at my /var/log/auth.log that some hacking bot has been attempting to gain access to my Bubba via SSH. It hasn't suceeded of course but throws hundreds of login attempts over the space of a few minutes.

Is there a possibility to configure SSH so that it will only allow 3 or 4 wrong password attempts to come from a single IP address before it locks attempts from that IP address /or for a short cooling off period ?

//Clive.
Do you run ssh on the default port? How about changing it to something else, like 2222, or you have already done this?

Anyway here's how to change the default port:

Code: Select all

sudo nano /etc/ssh/sshd_config 
edit the port number should be on the first lines of that file to what ever you want (e.g. 2222), then restart the service:

Code: Select all

sudo /etc/init.d/ssh restart
This should reduce the login attempts anyway
Clive
Posts: 164
Joined: 07 Mar 2007, 07:15

Post by Clive »

Thanks, I may investigate doing this, however I normally SSH into my Bubba via my companies firewall. Port 23 is open but I will have to check if the others are first.
Jocke
Posts: 13
Joined: 05 Jan 2007, 14:09
Location: Lund, Sweden

Post by Jocke »

I changed the public port in my router for SSH, after that it's reduced to 0 attempts.

I thought it was easier to change it in the router instead of with sshd_config.
sc0rp
Posts: 11
Joined: 25 Apr 2007, 02:38
Location: Lund

Post by sc0rp »

Jocke wrote:I changed the public port in my router for SSH, after that it's reduced to 0 attempts.

I thought it was easier to change it in the router instead of with sshd_config.
Sure that's also a good solution
Clive
Posts: 164
Joined: 07 Mar 2007, 07:15

Post by Clive »

Ahh, that'll work for me. Thanks !

I worry about messing with sshd too much because if I break it, then I've lost all my access.
tor
Posts: 703
Joined: 06 Dec 2006, 12:24
Contact:

Post by tor »

Another way to solve this without messing with sshd is to change ports in your firewall. So that lets say port 2222 externally is forwarded to Bubbas port 22 internally.

This way you still can access Bubba as normal when on the lan. But when accessing from outside you use the 2222 port instead.

/Tor
Co-founder OpenProducts and Ex Excito Developer
Cheeseboy
Posts: 789
Joined: 08 Apr 2007, 12:16

Post by Cheeseboy »

It is interesting though to see all the usernames they try to log in with :-)

How does this work really? When successful do they detect that they have hit an existing login, and then they start running through another (or the same) dictionary for the password? Just a username and no password doesn't make a gate-crasher happy....

I use putty for ssh and if I enter an invalid username I still get the password prompt, so how would they notice that they have hit an existing user?

Cheers

/Niklas
bjorn
Posts: 88
Joined: 03 Jan 2007, 09:02

Post by bjorn »

they don't. :)
Cheeseboy
Posts: 789
Joined: 08 Apr 2007, 12:16

Post by Cheeseboy »

Ah, it makes me feel much better, but still confused. Why bother then?
Cheeseboy
Posts: 789
Joined: 08 Apr 2007, 12:16

Post by Cheeseboy »

Ehrm, sorry for posting that question. Of course they have likely passwords to go with all their login attempts, like oracle/oracle or oracle/manager...
Ubi
Posts: 1549
Joined: 17 Jul 2007, 09:01

Post by Ubi »

Why not solve the problem properly and install BlockHosts?

http://freshmeat.net/projects/blockhosts/
Cheeseboy
Posts: 789
Joined: 08 Apr 2007, 12:16

Post by Cheeseboy »

Hi Ubi,

Thanks for that, it looks interesting.
I will check it out when I get some time to install python.

Cheers

Cheeseboy
Locked