# [SOLVED] weird sshd: thounsands of access attempts

## ferreirafm

Hi Gentoosers,

I've got thousands of access attempts from different IP addresses in the syslog messages file (/var/log/messages). What does it means? A hacker attack? It seems to be some program trying to access the sshd service repetitively from the same IP with different users. Sometimes I can see access attempts from different IP's. Is the there any sshd settings to prevent such behavior?   :Rolling Eyes: 

I'm running openssh with default settings and the following USE flags:

```
externo init.d # equery uses openssh

[ Searching for packages matching openssh... ]

[ Colour Code : set unset ]

[ Legend : Left column  (U) - USE flags from make.conf              ]

[        : Right column (I) - USE flags packages was installed with ]

[ Found these USE variables for net-misc/openssh-5.2_p1-r1 ]

 U I

 + + X         : Adds support for X11

 - - X509      : Adds support for X.509 certificate authentication

 - - hpn       : Enable high performance ssh

 - - kerberos  : Adds kerberos support

 - - ldap      : Adds LDAP support (Lightweight Directory Access Protocol)

 - - libedit   : Use the libedit library (replacement for readline)

 + + pam       : Adds support PAM (Pluggable Authentication Modules) - DANGEROUS to arbitrarily flip

 - - pkcs11    : Enable PKCS#11 smartcard support

 - - selinux   : !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur

 - - skey      : Enable S/Key (Single use password) authentication support

 - - smartcard : Enables smartcard support

 - - static    : !!do not set this during bootstrap!! Causes binaries to be statically linked instead of dynamically

 + + tcpd      : Adds support for TCP wrappers

```

Cuts of my message file bellow:

```
...

Apr 28 12:32:03 externo sshd[13149]: Invalid user administrator from 88.85.95.129

Apr 28 12:32:06 externo sshd[13153]: Invalid user administrator from 88.85.95.129

Apr 28 12:32:09 externo sshd[13157]: Invalid user administrator from 88.85.95.129

Apr 28 12:32:11 externo sshd[13164]: Invalid user administrator from 88.85.95.129

Apr 28 12:32:14 externo sshd[13168]: Invalid user administrator from 88.85.95.129

Apr 28 12:32:16 externo sshd[13172]: Invalid user administrator from 88.85.95.129

Apr 28 12:32:19 externo sshd[13176]: Invalid user administrator from 88.85.95.129

Apr 28 12:32:22 externo sshd[13180]: Invalid user administrator from 88.85.95.129

Apr 28 12:32:24 externo sshd[13184]: Invalid user administrator from 88.85.95.129

Apr 28 12:32:27 externo sshd[13188]: Invalid user administrator from 88.85.95.129

Apr 28 12:32:29 externo sshd[13192]: Invalid user administrator from 88.85.95.129

Apr 28 12:32:32 externo sshd[13196]: Invalid user administrator from 88.85.95.129

Apr 28 12:32:35 externo sshd[13200]: Invalid user postfix from 88.85.95.129

Apr 28 12:32:37 externo sshd[13204]: Invalid user postfix from 88.85.95.129

Apr 28 12:32:40 externo sshd[13208]: Invalid user postfix from 88.85.95.129

Apr 28 12:32:43 externo sshd[13212]: Invalid user postfix from 88.85.95.129

Apr 28 12:32:45 externo sshd[13219]: Invalid user postfix from 88.85.95.129

Apr 28 12:32:48 externo sshd[13223]: Invalid user postfix from 88.85.95.129

Apr 28 12:32:51 externo sshd[13227]: Invalid user postfix from 88.85.95.129

Apr 28 12:32:53 externo sshd[13231]: Invalid user postfix from 88.85.95.129

...

Apr 28 12:38:53 externo sshd[13818]: Invalid user oracle from 88.85.95.129

Apr 28 12:38:56 externo sshd[13823]: Invalid user oracle from 88.85.95.129

Apr 28 12:38:58 externo sshd[13827]: Invalid user office from 88.85.95.129

Apr 28 12:43:42 externo sshd[14268]: Invalid user upload from 88.85.95.129

Apr 28 12:43:45 externo sshd[14272]: Invalid user upload from 88.85.95.129

Apr 28 12:43:47 externo sshd[14276]: Invalid user upload from 88.85.95.129

Apr 28 12:43:50 externo sshd[14280]: Invalid user demo from 88.85.95.129

Apr 28 12:43:53 externo sshd[14284]: Invalid user demo from 88.85.95.129

Apr 28 12:43:55 externo sshd[14288]: Invalid user demo from 88.85.95.129

Apr 28 12:43:58 externo sshd[14292]: Invalid user demo from 88.85.95.129

Apr 28 12:44:01 externo sshd[14296]: Invalid user demo from 88.85.95.129

Apr 28 12:44:03 externo sshd[14300]: Invalid user demo from 88.85.95.129

Apr 28 12:44:06 externo sshd[14304]: Invalid user demo from 88.85.95.129

Apr 28 12:44:09 externo sshd[14308]: Invalid user demo from 88.85.95.129

Apr 28 12:44:12 externo sshd[14312]: Invalid user demo from 88.85.95.129

Apr 28 12:44:15 externo sshd[14316]: Invalid user demo from 88.85.95.129

Apr 28 12:44:18 externo sshd[14320]: Invalid user demo from 88.85.95.129

Apr 28 12:44:20 externo sshd[14324]: Invalid user sales from 88.85.95.129

Apr 28 12:44:23 externo sshd[14328]: Invalid user sales from 88.85.95.129

Apr 28 12:44:26 externo sshd[14332]: Invalid user sales from 88.85.95.129

Apr 28 12:44:28 externo sshd[14336]: Invalid user sales from 88.85.95.129

Apr 28 12:44:31 externo sshd[14340]: Invalid user sales from 88.85.95.129

Apr 28 12:44:33 externo sshd[14344]: Invalid user sales from 88.85.95.129

Apr 28 12:44:36 externo sshd[14348]: Invalid user sales from 88.85.95.129

Apr 28 12:44:39 externo sshd[14352]: Invalid user sales from 88.85.95.129

Apr 28 12:44:41 externo sshd[14359]: Invalid user sales from 88.85.95.129

Apr 28 12:44:44 externo sshd[14366]: Invalid user student from 88.85.95.129

Apr 28 12:44:46 externo sshd[14374]: Invalid user student from 88.85.95.129

Apr 28 12:44:49 externo sshd[14380]: Invalid user student from 88.85.95.129

Apr 28 12:44:51 externo sshd[14384]: Invalid user student from 88.85.95.129

Apr 28 12:44:54 externo sshd[14388]: Invalid user student from 88.85.95.129

Apr 28 12:44:57 externo sshd[14392]: Invalid user student from 88.85.95.129

Apr 28 12:45:00 externo sshd[14396]: Invalid user student from 88.85.95.129

Apr 28 12:45:02 externo sshd[14400]: Invalid user student from 88.85.95.129

Apr 28 12:45:05 externo sshd[14404]: Invalid user support from 88.85.95.129

Apr 28 12:45:08 externo sshd[14408]: Invalid user support from 88.85.95.129

Apr 28 12:45:11 externo sshd[14412]: Invalid user support from 88.85.95.129

Apr 28 12:45:14 externo sshd[14416]: Invalid user support from 88.85.95.129

Apr 28 12:45:17 externo sshd[14422]: Invalid user support from 88.85.95.129

Apr 28 12:45:20 externo sshd[14426]: Invalid user support from 88.85.95.129

Apr 28 12:45:23 externo sshd[14430]: Invalid user support from 88.85.95.129

Apr 28 12:45:25 externo sshd[14434]: Invalid user support from 88.85.95.129

Apr 28 12:45:28 externo sshd[14438]: Invalid user support from 88.85.95.129

Apr 28 12:45:31 externo sshd[14442]: Invalid user support from 88.85.95.129

Apr 28 12:45:33 externo sshd[14446]: Invalid user www-data from 88.85.95.129

Apr 28 12:45:36 externo sshd[14450]: Invalid user www-data from 88.85.95.129

Apr 28 12:45:39 externo sshd[14454]: Invalid user www-data from 88.85.95.129

Apr 28 12:45:42 externo sshd[14458]: Invalid user www-data from 88.85.95.129

Apr 28 12:45:44 externo sshd[14462]: Invalid user www-data from 88.85.95.129

Apr 28 12:45:47 externo sshd[14466]: Invalid user www-data from 88.85.95.129

Apr 28 12:45:49 externo sshd[14470]: Invalid user www-data from 88.85.95.129

Apr 28 12:45:51 externo sshd[14474]: Invalid user web from 88.85.95.129

Apr 28 12:45:54 externo sshd[14478]: Invalid user web from 88.85.95.129

Apr 28 12:45:57 externo sshd[14482]: Invalid user web from 88.85.95.129

Apr 28 12:46:00 externo sshd[14486]: Invalid user web from 88.85.95.129

Apr 28 12:46:03 externo sshd[14490]: Invalid user web from 88.85.95.129

Apr 28 12:46:05 externo sshd[14494]: Invalid user web from 88.85.95.129

Apr 28 12:46:08 externo sshd[14498]: Invalid user web from 88.85.95.129

Apr 28 12:46:11 externo sshd[14502]: Invalid user web from 88.85.95.129

Apr 28 12:46:14 externo sshd[14506]: Invalid user web from 88.85.95.129

Apr 28 12:46:17 externo sshd[14510]: Invalid user web from 88.85.95.129

Apr 28 12:46:20 externo sshd[14514]: Invalid user web from 88.85.95.129

Apr 28 12:46:23 externo sshd[14518]: Invalid user web from 88.85.95.129

Apr 28 12:46:25 externo sshd[14522]: Invalid user account from 88.85.95.129

Apr 28 12:46:28 externo sshd[14526]: Invalid user account from 88.85.95.129

Apr 28 12:46:31 externo sshd[14530]: Invalid user account from 88.85.95.129

Apr 28 12:46:33 externo sshd[14534]: Invalid user account from 88.85.95.129

Apr 28 12:46:36 externo sshd[14538]: Invalid user account from 88.85.95.129

Apr 28 12:46:39 externo sshd[14542]: Invalid user account from 88.85.95.129

Apr 28 12:46:41 externo sshd[14546]: Invalid user mysql from 88.85.95.129

Apr 28 12:46:44 externo sshd[14550]: Invalid user mysql from 88.85.95.129

Apr 28 12:46:47 externo sshd[14554]: Invalid user mysql from 88.85.95.129

Apr 28 12:46:49 externo sshd[14558]: Invalid user mysql from 88.85.95.129

Apr 28 12:46:52 externo sshd[14562]: Invalid user mysql from 88.85.95.129

Apr 28 12:46:55 externo sshd[14566]: Invalid user mysql from 88.85.95.129

Apr 28 12:46:58 externo sshd[14570]: Invalid user mysql from 88.85.95.129

Apr 28 12:47:01 externo sshd[14574]: Invalid user mysql from 88.85.95.129

Apr 28 12:47:04 externo sshd[14578]: Invalid user mysql from 88.85.95.129

Apr 28 12:47:06 externo sshd[14582]: Invalid user mysql from 88.85.95.129

Apr 28 12:47:09 externo sshd[14586]: Invalid user mysql from 88.85.95.129

Apr 28 12:47:12 externo sshd[14590]: Invalid user apache from 88.85.95.129

Apr 28 12:47:16 externo sshd[14594]: Invalid user apache from 88.85.95.129

Apr 28 12:47:19 externo sshd[14598]: Invalid user apache from 88.85.95.129

Apr 28 12:47:22 externo sshd[14602]: Invalid user apache from 88.85.95.129

Apr 28 12:47:25 externo sshd[14606]: Invalid user apache from 88.85.95.129

Apr 28 12:47:28 externo sshd[14610]: Invalid user apache from 88.85.95.129

Apr 28 12:47:31 externo sshd[14614]: Invalid user apache from 88.85.95.129

Apr 28 12:47:34 externo sshd[14618]: Invalid user apache from 88.85.95.129

Apr 28 12:47:38 externo sshd[14622]: Invalid user apache from 88.85.95.129

Apr 28 12:47:41 externo sshd[14626]: Invalid user apache from 88.85.95.129

Apr 28 12:48:04 externo sshd[14658]: Invalid user mailman from 88.85.95.129

Apr 28 12:48:08 externo sshd[14662]: Invalid user mailman from 88.85.95.129

Apr 28 12:48:11 externo sshd[14666]: Invalid user mailman from 88.85.95.129

Apr 28 12:48:14 externo sshd[14670]: Invalid user mailman from 88.85.95.129

Apr 28 12:48:17 externo sshd[14675]: Invalid user mailman from 88.85.95.129

Apr 28 12:48:19 externo sshd[14679]: Invalid user mailman from 88.85.95.129

Apr 28 12:57:39 externo sshd[15509]: Invalid user brian from 88.85.95.129

Apr 28 12:57:41 externo sshd[15513]: Invalid user brian from 88.85.95.129

Apr 28 12:57:44 externo sshd[15517]: Invalid user brian from 88.85.95.129

Apr 28 12:57:47 externo sshd[15521]: Invalid user brian from 88.85.95.129

Apr 28 12:57:49 externo sshd[15525]: Invalid user bryon from 88.85.95.129

Apr 28 12:57:51 externo sshd[15529]: Invalid user bryon from 88.85.95.129

Apr 28 12:57:54 externo sshd[15533]: Invalid user ben from 88.85.95.129

Apr 28 12:57:57 externo sshd[15537]: Invalid user ben from 88.85.95.129

Apr 28 12:58:01 externo sshd[15541]: Invalid user ben from 88.85.95.129

Apr 28 12:58:03 externo sshd[15545]: Invalid user ben from 88.85.95.129

Apr 28 12:58:06 externo sshd[15549]: Invalid user ben from 88.85.95.129

Apr 28 12:58:09 externo sshd[15553]: Invalid user ben from 88.85.95.129

Apr 28 12:58:12 externo sshd[15557]: Invalid user ben from 88.85.95.129

Apr 28 12:58:14 externo sshd[15561]: Invalid user ben from 88.85.95.129

Apr 28 12:58:17 externo sshd[15565]: Invalid user ben from 88.85.95.129

Apr 28 12:58:20 externo sshd[15569]: Invalid user brad from 88.85.95.129

Apr 28 12:58:23 externo sshd[15573]: Invalid user brad from 88.85.95.129

Apr 28 12:58:25 externo sshd[15577]: Invalid user brad from 88.85.95.129

Apr 28 12:58:28 externo sshd[15581]: Invalid user brad from 88.85.95.129

Apr 28 12:58:30 externo sshd[15585]: Invalid user brad from 88.85.95.129

Apr 28 12:58:33 externo sshd[15589]: Invalid user brad from 88.85.95.129

Apr 28 12:58:36 externo sshd[15593]: Invalid user brad from 88.85.95.129

Apr 28 12:58:39 externo sshd[15597]: Invalid user brad from 88.85.95.129

Apr 28 12:58:41 externo sshd[15601]: Invalid user bruce from 88.85.95.129

Apr 28 12:58:44 externo sshd[15605]: Invalid user bruce from 88.85.95.129

Apr 28 12:58:47 externo sshd[15609]: Invalid user bruce from 88.85.95.129

Apr 28 12:58:49 externo sshd[15613]: Invalid user bruce from 88.85.95.129

Apr 28 12:58:52 externo sshd[15617]: Invalid user bruce from 88.85.95.129

Apr 28 12:58:54 externo sshd[15621]: Invalid user bruce from 88.85.95.129

Apr 28 12:58:57 externo sshd[15625]: Invalid user barbara from 88.85.95.129

Apr 28 12:59:00 externo sshd[15629]: Invalid user barbara from 88.85.95.129

Apr 28 12:59:03 externo sshd[15633]: Invalid user barbara from 88.85.95.129

Apr 28 12:59:05 externo sshd[15637]: Invalid user barbara from 88.85.95.129

Apr 28 12:59:08 externo sshd[15641]: Invalid user barbara from 88.85.95.129

Apr 28 12:59:11 externo sshd[15645]: Invalid user barbara from 88.85.95.129

Apr 28 12:59:14 externo sshd[15649]: Invalid user barbara from 88.85.95.129

Apr 28 12:59:16 externo sshd[15654]: Invalid user bill from 88.85.95.129

Apr 28 12:59:19 externo sshd[15658]: Invalid user bill from 88.85.95.129

Apr 28 12:59:22 externo sshd[15662]: Invalid user bill from 88.85.95.129

Apr 28 12:59:25 externo sshd[15666]: Invalid user bill from 88.85.95.129

Apr 28 12:59:27 externo sshd[15670]: Invalid user bill from 88.85.95.129

Apr 28 12:59:30 externo sshd[15674]: Invalid user bill from 88.85.95.129

Apr 28 12:59:32 externo sshd[15678]: Invalid user bill from 88.85.95.129

Apr 28 12:59:34 externo sshd[15682]: Invalid user brett from 88.85.95.129

Apr 28 12:59:37 externo sshd[15686]: Invalid user brett from 88.85.95.129

Apr 28 12:59:39 externo sshd[15690]: Invalid user brett from 88.85.95.129

Apr 28 12:59:42 externo sshd[15694]: Invalid user brett from 88.85.95.129

Apr 28 12:59:45 externo sshd[15698]: Invalid user brett from 88.85.95.129

Apr 28 12:59:48 externo sshd[15702]: Invalid user brett from 88.85.95.129

Apr 28 12:59:51 externo sshd[15706]: Invalid user brett from 88.85.95.129

Apr 28 12:59:53 externo sshd[15710]: Invalid user bryce from 88.85.95.129

Apr 28 12:59:55 externo sshd[15714]: Invalid user bryce from 88.85.95.129

Apr 28 12:59:58 externo sshd[15718]: Invalid user bryce from 88.85.95.129

Apr 28 13:00:01 externo cron[15726]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )

Apr 28 13:00:01 externo cron[15731]: (root) CMD (rm -f /var/spool/cron/lastrun/cron.hourly)

Apr 28 13:00:01 externo sshd[15722]: Invalid user connie from 88.85.95.129

Apr 28 13:00:04 externo sshd[15740]: Invalid user connie from 88.85.95.129

Apr 28 13:00:06 externo sshd[15744]: Invalid user connie from 88.85.95.129

Apr 28 13:00:09 externo sshd[15749]: Invalid user connie from 88.85.95.129

Apr 28 13:00:11 externo sshd[15753]: Invalid user connie from 88.85.95.129

Apr 28 13:00:14 externo sshd[15757]: Invalid user connie from 88.85.95.129

Apr 28 13:00:16 externo sshd[15762]: Invalid user connie from 88.85.95.129

Apr 28 13:00:19 externo sshd[15768]: Invalid user craig from 88.85.95.129

Apr 28 13:00:21 externo sshd[15772]: Invalid user criag from 88.85.95.129

Apr 28 13:00:24 externo sshd[15776]: Invalid user craig from 88.85.95.129

Apr 28 13:00:27 externo sshd[15780]: Invalid user craig from 88.85.95.129

Apr 28 13:00:29 externo sshd[15784]: Invalid user craig from 88.85.95.129

Apr 28 13:00:31 externo sshd[15788]: Invalid user craig from 88.85.95.129

Apr 28 13:00:33 externo sshd[15792]: Invalid user craig from 88.85.95.129

Apr 28 13:00:36 externo sshd[15796]: Invalid user craig from 88.85.95.129

Apr 28 13:00:38 externo sshd[15800]: Invalid user christopher from 88.85.95.129

Apr 28 13:00:41 externo sshd[15804]: Invalid user christopher from 88.85.95.129

Apr 28 13:00:44 externo sshd[15808]: Invalid user christopher from 88.85.95.129

Apr 28 13:00:47 externo sshd[15812]: Invalid user clint from 88.85.95.129

Apr 28 13:00:49 externo sshd[15816]: Invalid user clint from 88.85.95.129

Apr 28 13:00:52 externo sshd[15821]: Invalid user clint from 88.85.95.129

Apr 28 13:00:54 externo sshd[15825]: Invalid user clint from 88.85.95.129

Apr 28 13:00:57 externo sshd[15829]: Invalid user clint from 88.85.95.129

Apr 28 13:00:59 externo sshd[15833]: Invalid user clint from 88.85.95.129

Apr 28 13:01:02 externo sshd[15837]: Invalid user clint from 88.85.95.129

Apr 28 13:01:04 externo sshd[15841]: Invalid user clint from 88.85.95.129

Apr 28 13:01:07 externo sshd[15845]: Invalid user chris from 88.85.95.129

Apr 28 13:01:10 externo sshd[15849]: Invalid user chris from 88.85.95.129

Apr 28 13:01:12 externo sshd[15853]: Invalid user chris from 88.85.95.129

Apr 28 13:01:15 externo sshd[15857]: Invalid user chris from 88.85.95.129

Apr 28 13:01:18 externo sshd[15861]: Invalid user chris from 88.85.95.129

Apr 28 13:01:21 externo sshd[15865]: Invalid user chris from 88.85.95.129

Apr 28 13:01:23 externo sshd[15869]: Invalid user chris from 88.85.95.129

Apr 28 13:01:26 externo sshd[15873]: Invalid user chris from 88.85.95.129

Apr 28 13:01:28 externo sshd[15877]: Invalid user chris from 88.85.95.129

Apr 28 13:01:31 externo sshd[15881]: Invalid user cora from 88.85.95.129

Apr 28 13:01:33 externo sshd[15885]: Invalid user cora from 88.85.95.129

Apr 28 13:01:36 externo sshd[15889]: Invalid user cora from 88.85.95.129

Apr 28 13:01:38 externo sshd[15893]: Invalid user cora from 88.85.95.129

Apr 28 13:01:40 externo sshd[15897]: Invalid user claire from 88.85.95.129

Apr 28 13:01:42 externo sshd[15901]: Invalid user claire from 88.85.95.129

Apr 28 13:01:45 externo sshd[15905]: Invalid user claire from 88.85.95.129

Apr 28 13:01:47 externo sshd[15909]: Invalid user claire from 88.85.95.129

Apr 28 13:01:50 externo sshd[15913]: Invalid user claire from 88.85.95.129

Apr 28 13:01:52 externo sshd[15917]: Invalid user claire from 88.85.95.129

Apr 28 13:01:55 externo sshd[15921]: Invalid user claire from 88.85.95.129

Apr 28 13:01:58 externo sshd[15925]: Invalid user christine from 88.85.95.129

Apr 28 13:02:01 externo sshd[15929]: Invalid user christine from 88.85.95.129

Apr 28 13:02:04 externo sshd[15933]: Invalid user christine from 88.85.95.129

Apr 28 13:02:06 externo sshd[15937]: Invalid user christine from 88.85.95.129

Apr 28 13:02:08 externo sshd[15941]: Invalid user christine from 88.85.95.129

Apr 28 13:02:11 externo sshd[15945]: Invalid user christine from 88.85.95.129

Apr 28 13:02:13 externo sshd[15949]: Invalid user charles from 88.85.95.129

Apr 28 13:02:16 externo sshd[15953]: Invalid user charles from 88.85.95.129

Apr 28 13:02:18 externo sshd[15958]: Invalid user charles from 88.85.95.129

Apr 28 13:02:22 externo sshd[15962]: Invalid user charles from 88.85.95.129

Apr 28 13:02:25 externo sshd[15966]: Invalid user charles from 88.85.95.129

Apr 28 13:02:27 externo sshd[15970]: Invalid user charles from 88.85.95.129

Apr 28 13:02:30 externo sshd[15974]: Invalid user clayton from 88.85.95.129

Apr 28 13:02:33 externo sshd[15978]: Invalid user clayton from 88.85.95.129

Apr 28 13:02:36 externo sshd[15982]: Invalid user clayton from 88.85.95.129

Apr 28 13:02:39 externo sshd[15986]: Invalid user carlos from 88.85.95.129

Apr 28 13:02:42 externo sshd[15990]: Invalid user carlos from 88.85.95.129

Apr 28 13:02:45 externo sshd[15994]: Invalid user carlos from 88.85.95.129

Apr 28 13:02:48 externo sshd[15998]: Invalid user carlos from 88.85.95.129

Apr 28 13:02:50 externo sshd[16002]: Invalid user carlos from 88.85.95.129

Apr 28 13:02:53 externo sshd[16006]: Invalid user carlos from 88.85.95.129

Apr 28 13:02:56 externo sshd[16010]: Invalid user carlos from 88.85.95.129

Apr 28 13:02:59 externo sshd[16014]: Invalid user cody from 88.85.95.129

Apr 28 13:03:02 externo sshd[16018]: Invalid user cody from 88.85.95.129

Apr 28 13:03:04 externo sshd[16022]: Invalid user cody from 88.85.95.129

Apr 28 13:03:07 externo sshd[16026]: Invalid user cody from 88.85.95.129

Apr 28 13:03:10 externo sshd[16030]: Invalid user cody from 88.85.95.129

Apr 28 13:03:13 externo sshd[16034]: Invalid user cody from 88.85.95.129

Apr 28 13:03:15 externo sshd[16038]: Invalid user cody from 88.85.95.129

Apr 28 13:03:18 externo sshd[16042]: Invalid user carolyn from 88.85.95.129

Apr 28 13:03:20 externo sshd[16046]: Invalid user carolyn from 88.85.95.129

Apr 28 13:03:22 externo sshd[16050]: Invalid user carolyn from 88.85.95.129

Apr 28 13:03:26 externo sshd[16054]: Invalid user carolyn from 88.85.95.129

Apr 28 13:03:28 externo sshd[16058]: Invalid user carolyn from 88.85.95.129

Apr 28 13:03:31 externo sshd[16062]: Invalid user carolyn from 88.85.95.129

Apr 28 13:03:33 externo sshd[16066]: Invalid user cara from 88.85.95.129

Apr 28 13:03:36 externo sshd[16070]: Invalid user cara from 88.85.95.129

Apr 28 13:03:39 externo sshd[16074]: Invalid user cara from 88.85.95.129

Apr 28 13:03:42 externo sshd[16078]: Invalid user cara from 88.85.95.129

Apr 28 13:03:44 externo sshd[16082]: Invalid user cara from 88.85.95.129

Apr 28 13:03:47 externo sshd[16086]: Invalid user cara from 88.85.95.129

Apr 28 13:03:49 externo sshd[16090]: Invalid user deena from 88.85.95.129

Apr 28 13:03:52 externo sshd[16094]: Invalid user deena from 88.85.95.129

Apr 28 13:03:55 externo sshd[16098]: Invalid user deena from 88.85.95.129

Apr 28 13:03:58 externo sshd[16102]: Invalid user donald from 88.85.95.129

Apr 28 13:04:00 externo sshd[16106]: Invalid user donald from 88.85.95.129

Apr 28 13:04:02 externo sshd[16110]: Invalid user donald from 88.85.95.129

Apr 28 13:04:06 externo sshd[16114]: Invalid user david from 88.85.95.129

Apr 28 13:04:09 externo sshd[16118]: Invalid user david from 88.85.95.129

Apr 28 13:04:12 externo sshd[16122]: Invalid user david from 88.85.95.129

Apr 28 13:04:14 externo sshd[16126]: Invalid user david from 88.85.95.129

Apr 28 13:04:17 externo sshd[16130]: Invalid user david from 88.85.95.129

Apr 28 13:04:19 externo sshd[16134]: Invalid user david from 88.85.95.129

Apr 28 13:04:22 externo sshd[16138]: Invalid user david from 88.85.95.129

Apr 28 13:04:25 externo sshd[16142]: Invalid user dan from 88.85.95.129

Apr 28 13:04:27 externo sshd[16146]: Invalid user dan from 88.85.95.129

Apr 28 13:04:30 externo sshd[16150]: Invalid user dan from 88.85.95.129

Apr 28 13:04:32 externo sshd[16154]: Invalid user dan from 88.85.95.129

Apr 28 13:04:35 externo sshd[16158]: Invalid user dan from 88.85.95.129

Apr 28 13:04:37 externo sshd[16162]: Invalid user dan from 88.85.95.129

Apr 28 13:04:40 externo sshd[16166]: Invalid user dan from 88.85.95.129

Apr 28 13:04:43 externo sshd[16170]: Invalid user dan from 88.85.95.129

Apr 28 13:04:45 externo sshd[16174]: Invalid user doug from 88.85.95.129

Apr 28 13:04:48 externo sshd[16178]: Invalid user doug from 88.85.95.129

Apr 28 13:04:50 externo sshd[16182]: Invalid user doug from 88.85.95.129

Apr 28 13:04:53 externo sshd[16186]: Invalid user doug from 88.85.95.129

Apr 28 13:04:55 externo sshd[16190]: Invalid user doug from 88.85.95.129

Apr 28 13:04:58 externo sshd[16194]: Invalid user doug from 88.85.95.129

Apr 28 13:05:00 externo sshd[16198]: Invalid user doug from 88.85.95.129

Apr 28 13:05:03 externo sshd[16202]: Invalid user dorian from 88.85.95.129

Apr 28 13:05:05 externo sshd[16206]: Invalid user dorian from 88.85.95.129

Apr 28 13:05:08 externo sshd[16210]: Invalid user dorian from 88.85.95.129

Apr 28 13:05:11 externo sshd[16214]: Invalid user dana from 88.85.95.129

Apr 28 13:05:14 externo sshd[16218]: Invalid user dana from 88.85.95.129

Apr 28 13:05:17 externo sshd[16223]: Invalid user dana from 88.85.95.129

Apr 28 13:05:19 externo sshd[16227]: Invalid user dana from 88.85.95.129

Apr 28 13:05:22 externo sshd[16232]: Invalid user deborah from 88.85.95.129

Apr 28 13:05:25 externo sshd[16238]: Invalid user deborah from 88.85.95.129

Apr 28 13:05:27 externo sshd[16242]: Invalid user deborah from 88.85.95.129

Apr 28 13:05:29 externo sshd[16246]: Invalid user duke from 88.85.95.129

Apr 28 13:05:32 externo sshd[16250]: Invalid user duke from 88.85.95.129

Apr 28 13:05:34 externo sshd[16254]: Invalid user duke from 88.85.95.129

... weird 

Apr 28 13:17:23 externo sshd[17302]: Invalid user josh from 88.85.95.129

Apr 28 13:17:26 externo sshd[17306]: Invalid user josh from 88.85.95.129

Apr 28 13:17:29 externo sshd[17310]: Invalid user josh from 88.85.95.129

Apr 28 13:17:32 externo sshd[17314]: Invalid user josh from 88.85.95.129

Apr 28 13:17:36 externo sshd[17318]: Invalid user josh from 88.85.95.129

Apr 28 13:17:38 externo sshd[17322]: Invalid user josh from 88.85.95.129

Apr 28 13:17:41 externo sshd[17326]: Invalid user josh from 88.85.95.129

Apr 28 13:17:44 externo sshd[17330]: Invalid user josh from 88.85.95.129

Apr 28 13:17:46 externo sshd[17334]: Invalid user joey from 88.85.95.129

```

Last edited by ferreirafm on Tue Apr 28, 2009 8:36 pm; edited 1 time in total

----------

## pigeon768

 *ferreirafm wrote:*   

> I've got thousands of access attempts from different IP addresses in the syslog messages file (/var/log/messages). What does it means? A hacker attack? It seems to be some program trying to access the sshd service repetitively from the same IP with different users. Sometimes I can see access attempts from different IP's. Is the there any sshd settings to prevent such behavior?  

  Yes, it's just part of having a computer connected to the internet. It's a hack 'attempt' by several bots, trying default and common logins/passwords.

You could set up iptables and/or your hosts.deny/host.allow files.

----------

## ferreirafm

 *pigeon768 wrote:*   

> 
> 
> You could set up iptables and/or your hosts.deny/host.allow files.

 

Thanks for answer. That's great. Deny everybody and allow specific hosts and addresses.

All the best.

----------

## Tekeli Li

Your first order of business should be to move SSH to a different port. Why leave it at 22? It is too critical to allow any "convenience" of default. That alone will block out virtually all of ssh attack attempts which are bots attacking default port, and you won't waste resources on ip lookups and denies.

EDIT: And your second order of business should be to use public key authentication (it is very, very simple to setup) and stop worrying about SSH (but do keep an eye on the logs from time to time).   :Cool: 

----------

## ferreirafm

 *Tekeli Li wrote:*   

> Your first order of business should be to move SSH to a different port. Why leave it at 22? It is too critical to allow any "convenience" of default. That alone will block out virtually all of ssh attack attempts which are bots attacking default port, and you won't waste resources on ip lookups and denies.
> 
> 

 

Nmap or any similar program can disclose your new port and thousands of login attempts will start again. I think iptables is better and very easy to setup. Paranoids uses both  :Smile: 

----------

## xtz

I'd rather go for changing the ports, iptables may 'eat' lots of cpu resources, if its very intensive traffic.

----------

## ferreirafm

Be careful when moving ssh service to non default ports. You can find such port closed in the gateway that you are logging from. Actually, that's happened to me twice, so I decided to move back to the default port and review the iptables.

----------

## 1shot1kill

Edit your sshd config only accept key based logins. This might help you did for me http://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-ssh-beyondshell.html

I went from over 900 attempts to about 20 a day by doing this

----------

## eccerr0r

I'll second the notion not to change sshd's port, there are a lot of firewalls out there that block nonstandard ports and unfortunately will have to resort to the standard 22 port just so that you can ssh to your machine.  This of course depends on your originating network.  If you never have to ssh from somewhere that blocks everything but port 22, then by all means, changing the port helps (though it is security by obscurity... at least the amount of traffic to your machine goes down.)

Not sure why fail2ban was not suggested yet, though I don't use it.  It should pick up this case and filter the attempts.  Basically I'm just using a manual iptables based blocking mechanism if some host tries to dictionary attack my machine.  It's not perfect, but if you have strong passwords (or use public key infrastructure) you really do not need to worry about these dictionary attacks.

----------

## cach0rr0

 *eccerr0r wrote:*   

> 
> 
> Not sure why fail2ban was not suggested yet, though I don't use it. 

 

Curse you, I was just about to mention that as I'd seen nobody else do so up to this point!

Everyone has their preferences - mine is fail2ban. 

It does precisely what I need for ssh, and as I discovered later for even more services - it can do the same for vsftpd, apache, all sorts of goodies (though i dont let it touch my apache ports)

I second this, without question. It's been absolutely brilliant every time I've deployed it

----------

## 1shot1kill

I am going to have to try fail2ban it looks very promising

----------

## ferreirafm

 *cach0rr0 wrote:*   

> Everyone has their preferences - mine is fail2ban. 
> 
> It does precisely what I need for ssh, and as I discovered later for even more services - it can do the same for vsftpd, apache, all sorts of goodies (though i dont let it touch my apache ports)
> 
> I second this, without question. It's been absolutely brilliant every time I've deployed it

 

It really sounds great! I have used the following howto http://www.gentoo-wiki.info/HOWTO_fail2ban to set it up. I'll let you know how it is doing.

----------

## cach0rr0

the discovery that it's capable of monitoring vsftpd attempts was a recent one for me (to be honest, I'd just not looked at jail.conf beyond ssh stuff)

but I take great comfort in getting the occasional e-mail like:

```

Hi,

The IP 174.129.167.73 has just been banned by Fail2Ban after

5 attempts against VSFTPD.

Here are more information about 174.129.167.73:

OrgName:    Amazon.com, Inc.

OrgID:      AMAZO-4

Address:    Amazon Web Services, Elastic Compute Cloud, EC2

Address:    1200 12th Avenue South

City:       Seattle

StateProv:  WA

PostalCode: 98144

Country:    US

NetRange:   174.129.0.0 - 174.129.255.255

CIDR:       174.129.0.0/16

NetName:    AMAZON-EC2-5

NetHandle:  NET-174-129-0-0-1

Parent:     NET-174-0-0-0-0

NetType:    Direct Assignment

NameServer: PDNS1.ULTRADNS.NET

NameServer: PDNS2.ULTRADNS.NET

NameServer: PDNS3.ULTRADNS.ORG

Comment:   

Comment:    This network is a member of a dynamic hosting

Comment:    environment. See http://ec2.amazonaws.com/

Comment:    All reports MUST include:

Comment:    * src IP

Comment:    * dest IP (your IP)

Comment:    * dest port

Comment:    * Accurate date/timestamp and timezone of activity

Comment:    * Intensity/frequency (short log extracts)

Comment:    * Your contact details (phone and email)

Comment:    Without these we will be unable to identify

Comment:    the correct owner of the IP address at that

Comment:    point in time.

RegDate:    2008-08-08

Updated:    2008-08-08

RAbuseHandle: AEA8-ARIN

RAbuseName:   Amazon EC2 Abuse

RAbusePhone:  +1-206-266-2187

RAbuseEmail:  ec2-abuse@amazon.com

RNOCHandle: ANO24-ARIN

RNOCName:   Amazon EC2 Network Operations

RNOCPhone:  +1-206-266-2187

RNOCEmail:  aes-noc@amazon.com

RTechHandle: ANO24-ARIN

RTechName:   Amazon EC2 Network Operations

RTechPhone:  +1-206-266-2187

RTechEmail:  aes-noc@amazon.com

OrgAbuseHandle: AEA8-ARIN

OrgAbuseName:   Amazon EC2 Abuse

OrgAbusePhone:  +1-206-266-2187

OrgAbuseEmail:  ec2-abuse@amazon.com

OrgTechHandle: ANO24-ARIN

OrgTechName:   Amazon EC2 Network Operations

OrgTechPhone:  +1-206-266-2187

OrgTechEmail:  aes-noc@amazon.com

# ARIN WHOIS database, last updated 2009-07-23 20:00

# Enter ? for additional hints on searching ARIN's WHOIS database.

Regards,

Fail2Ban 

```

Guess Amazon wants my pr0n. Neat.

----------

## ferreirafm

 *cach0rr0 wrote:*   

> but I take great comfort in getting the occasional e-mail like:

 

I didn't get anything so far. Do I have to have some mail server running?

----------

## cach0rr0

 *ferreirafm wrote:*   

>  *cach0rr0 wrote:*   but I take great comfort in getting the occasional e-mail like: 
> 
> I didn't get anything so far. Do I have to have some mail server running?

 

ah...yes, realistically this is probably something you'd need. 

While fail2ban would happily e-mail say, your gmail address, gmail does not allow connections from dynamic/residential IP addresses - so the message would get rejected, and you'd never receive it. 

You could use the e-mail address provided to your by your ISP? But I don't really know anybody that actually uses that  :Smile: 

Postfix or SSMTP, along with Dovecot, would be easy enough to set up. 

Realistically you could get the same info by reviewing /var/log/fail2ban.log 

I'm just lazy, and find having e-mail notifications to be very convenient. 

If you do go the Postfix route, and get stuck, I have all of my .conf files dumped here:

https://whitehathouston.com/topics/index.php/WHHMail

as well, holler if you're going through that setup and need help. You may not want to go through the trouble of doing all that just for e-mail notifications; it may be easier to just pull in SSMTP, and have it route all e-mail (in this case, fail2ban notifications to your gmail) through your ISP's SMTP server

----------

## ferreirafm

 *cach0rr0 wrote:*   

>  Postfix or SSMTP, along with Dovecot, would be easy enough to set up. 

 

I think I don't need a mail server just to receive those funny massages. However, its good to know. 

Talking about the /var/log/fail2ban.log. I've got the following warning:

```
2009-07-25 16:56:07,456 fail2ban.server : INFO   Exiting Fail2ban

2009-07-25 16:56:08,819 fail2ban.jail   : INFO   Using poller

2009-07-25 16:56:08,842 fail2ban.filter : INFO   Created Filter

2009-07-25 16:56:08,842 fail2ban.filter : INFO   Created FilterPoll

2009-07-25 16:56:08,847 fail2ban.filter : INFO   Added logfile = /var/log/messages

2009-07-25 16:56:08,857 fail2ban.filter : INFO   Set maxRetry = 3

2009-07-25 16:56:08,877 fail2ban.comm   : WARNING Invalid command: ['set', 'ssh-tcpwrapper', 'ignoreregex', 'for\ myuser from']
```

I seems that fail2ban is not running properly. What's wrong?   :Rolling Eyes: 

----------

## cach0rr0

can you post your /etc/fail2ban/jail.conf ?

----------

## cach0rr0

actually...you're using the ssh-tcpwrapper bit

personally, I opt for iptables

```

[ssh-iptables]

enabled  = true

filter   = sshd

action   = iptables[name=SSH, port=ssh, protocol=tcp]

           mail-whois[name=SSH, dest=meat@whitehathouston.com]

logpath  = /var/log/auth.log

maxretry = 3

```

and leave ssh-tcpwrapped set to enabled=false

if you have ssh-tcpwrapper enabled, and this is indeed what you want, you should make a real regex, e.g. using a username of 'cach0rr0'

```

[ssh-tcpwrapper]

enabled     = true

filter      = sshd

action      = hostsdeny

              mail-whois[name=SSH, dest=yourmail@mail.com]

ignoreregex = for.+cach0rr0.+from

logpath     = /var/log/sshd.log

```

obv you dont want both ssh-tcpwrapper and ssh-iptables enabled - choose one or the other

----------

## ferreirafm

 *cach0rr0 wrote:*   

> if you have ssh-tcpwrapper enabled, and this is indeed what you want, you should make a real regex, e.g. using a username of 'cach0rr0'

 

I would like to user ssh-tcpwrappers as I am more familiar with hosts.allow/.deny syntax. But it really doesn't work. I've tried both change the regex and live defaults, but nothing changed. Do I have to emerge something else to use ssh-iptables?Last edited by ferreirafm on Sun Jul 26, 2009 5:03 pm; edited 1 time in total

----------

## toralf

Try these iptables rules (I derived them from here :http://www.heise.de/security/SSH-vor-Brute-Force-Angriffen-schuetzen--/artikel/142155/3) :

```
iptables -t filter -A INPUT -p tcp --destination-port 22 -m state --state ESTABLISHED -m recent --name FAILED_SSH_LOGIN --update --seconds 60 --hitcount 2 -j REJECT --reject-with tcp-reset

iptables -t filter -A INPUT -p tcp --destination-port 22 -m state --state NEW         -m recent --name FAILED_SSH_LOGIN --set

```

Furthermore I use this at home for my DSL modem : 

```
iptables -t filter -A INPUT --in-interface ppp0 -m recent --name ppp0 --update --seconds 60 -j DROP

iptables -t filter -A INPUT --in-interface ppp0 -m recent --name ppp0 --set                 -j DROP

```

----------

## cach0rr0

 *ferreirafm wrote:*   

>  *cach0rr0 wrote:*   if you have ssh-tcpwrapper enabled, and this is indeed what you want, you should make a real regex, e.g. using a username of 'cach0rr0' 
> 
> I would like to user ssh-tcpwrappers as I am more familiar with hosts.allow/.deny syntax. But it really don't work. I've tried both change the regex and live defaults, but nothing changed. Do I have to emerge something else to use ssh-iptables?

 

just comment out the ignoreregex line

restart fail2ban

see if that doesn't work.

----------

## ferreirafm

 *cach0rr0 wrote:*   

> just comment out the ignoreregex line
> 
> restart fail2ban 
> 
> see if that doesn't work.

 

It seems to be running now. I'll see what's going on tomorrow. 

The fail2ban.log has changed to:

```
2009-07-25 18:46:39,236 fail2ban.jail   : INFO   Using poller

2009-07-25 18:46:39,259 fail2ban.filter : INFO   Created Filter

2009-07-25 18:46:39,260 fail2ban.filter : INFO   Created FilterPoll

2009-07-25 18:46:39,265 fail2ban.filter : INFO   Added logfile = /var/log/messages

2009-07-25 18:46:39,275 fail2ban.filter : INFO   Set maxRetry = 3

2009-07-25 18:46:39,295 fail2ban.filter : INFO   Set findtime = 600

2009-07-25 18:46:39,305 fail2ban.actions: INFO   Set banTime = 600

2009-07-25 18:46:39,365 fail2ban.actions.action: INFO   Set actionBan = IP=<ip> &&

echo "ALL: $IP" >> <file>

2009-07-25 18:46:39,375 fail2ban.actions.action: INFO   Set actionStop =

2009-07-25 18:46:39,385 fail2ban.actions.action: INFO   Set actionStart =

2009-07-25 18:46:39,395 fail2ban.actions.action: INFO   Set actionUnban = IP=<ip> && sed -i.old /ALL:\ $IP/d <fi\

le>

2009-07-25 18:46:39,405 fail2ban.actions.action: INFO   Set actionCheck =

2009-07-25 18:46:39,435 fail2ban.actions.action: INFO   Set actionBan = echo -en "Hi,\n

The IP <ip> has just been banned by Fail2Ban after

<failures> attempts against <name>.\n\n

Here are more information about <ip>:\n

`whois <ip>`\n

Regards,\n

Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip>" <dest>

2009-07-25 18:46:39,445 fail2ban.actions.action: INFO   Set actionStop = echo -en "Hi,\n

The jail <name> has been stopped.\n

Regards,\n

Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped" <dest>

2009-07-25 18:46:39,455 fail2ban.actions.action: INFO   Set actionStart = echo -en "Hi,\n

The jail <name> has been started successfuly.\n

Regards,\n

Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest>

2009-07-25 18:46:39,465 fail2ban.actions.action: INFO   Set actionUnban =

2009-07-25 18:46:39,475 fail2ban.actions.action: INFO   Set actionCheck =

2009-07-25 18:46:39,617 fail2ban.actions.action: ERROR  echo -en "Hi,\n

The jail SSH has been started successfuly.\n

Regards,\n

Fail2Ban"|mail -s "[Fail2Ban] SSH: started" yourmail@mail.com returned 7f00
```

Thanks for helping!  :Very Happy: 

----------

## Mike Hunt

I use a non-standard port for ssh since I discovered these attacks on my box, and I'm aware of the limitations described by ferreirafm.

toralf's iptables rules gives me

```
iptables: No chain/target/match by that name.
```

Probably (I think) because the end parts after the second -m need some advanced netfilter configs in my kernel, but which ones? Anybody?

I found another possible solution port knocking but I haven't tried it yet.

----------

## cach0rr0

 *Mike Hunt wrote:*   

> I use a non-standard port for ssh since I discovered these attacks on my box, and I'm aware of the limitations described by ferreirafm.
> 
> toralf's iptables rules gives me
> 
> ```
> ...

 

port knocking is the ultimate in stealth, but a pain in the arse 

you'll no doubt hear arguments to the contrary stating how easy it is to craft a script to do it for you, but what if you lose the script and can't remember the order? 

The route you take depends on whether or not you have a ton of users logging in via ssh. 

If you DO, then indeed you'd want to look at something like fail2ban, port knocking, deploying custom iptables policy, etc

But if you don't? Hell, this becomes a non-issue, no argument there - disable keyboard-interactive authentication, and do your auth via SSH DSA keys. 

Very good doc on that here - http://www.gentoo.org/doc/en/articles/openssh-key-management-p1.xml

I'll look at his iptables rule in a sec and see what stuff you might need from the kernel, but really I would consider going for key-based auth if you can get away with it; completely eliminating the need to deploy something to check posthumously for brute-force. 

I've only avoided doing so myself as I have to talk a number of users through generating SSH keys, not all of whom are within talking distance 

regularly. 

I'll keep fail2ban around for vsftpd, but eventually intend to migrate to exclusively key-based auth.

----------

## cach0rr0

So, making a guess, here is what you'd need

```

IP_NF_TARGET_REJECT=m  (I prefer iptables stuff be as modules)

NF_CONNTRACK_IPV4=m

NF_CONNTRACK=m

NETFILTER_XT_MATCH_RECENT=m

```

The last one especially. 

I don't speak a word of German - well, I don't know any words that aren't offensive, and/or don't involve beer, but, from the article he linked:

 *Quote:*   

> 
> 
> Mit dem iptables-Modul "recent" lassen sich auf Paketebene TCP-Verbindungsversuche auf Dienste in Echtzeit mitzählen und ab einem Schwellwert weitere Angriffe von einer IP-Adresse blockieren, ohne dass man Logs durchsuchen muss. Das Modul ist Bestandteil des Linux-Kernels und wird zur Laufzeit geladen.

 

Assuming this means you need NETFILTER_XT_MATCH_RECENT 

I will just trust that the people in the article are the experts, and blindly assume this is correct  :Smile: 

From the description in menuconfig:

 *Quote:*   

> 
> 
>  CONFIG_NETFILTER_XT_MATCH_RECENT:                                                       │  
> 
>   │                                                                                         │  
> ...

 

Again though, key-based auth is a far better route to go if you don't have heaps of users to manage. It's still the best route even then, from a security perspective, just a bit cumbersome getting people to use it.

Hope that helps

----------

## Mike Hunt

 *cach0rr0 wrote:*   

> 
> 
> ```
> 
> IP_NF_TARGET_REJECT=m  (I prefer iptables stuff be as modules)
> ...

 

Yep that was the one - NETFILTER_XT_MATCH_RECENT which is <M>   "recent" match support in make menuconfig, and requires  <*>  Advanced netfilter configuration.

Now toralf's iptables rules work. 

Thanks so much, now I'm going to try key-based auth, perhaps with keychain   :Smile: 

----------

## cach0rr0

I would keep a careful eye on those iptables rules

I am far from an expert with iptables, but, I don't see anywhere in those rules that a block ever expires. 

So if you come home from the pub drunk, and can't manage your password, you're locked out of SSH indefinitely (until you change your IP of course)

I do my best coding when I'm drunk, so this is not an option for me. 

As well it's very possible I'm misreading the rules, and that somewhere in there the block is reset after a certain time period. This is among the reasons I like fail2ban - it isn't a permanent block. 

If nothing else, ask somebody who knows iptables well enough to comment - because I sure as hell do not!

----------

## toralf

 *Mike Hunt wrote:*   

> toralf's iptables rules gives me
> 
> ```
> iptables: No chain/target/match by that name.
> ```
> ...

 You need the "match" and "state" match report inyour kernel:

```
   Location:                                                                                                      │

  │     -> Networking support (NET [=y])                                                                             │

  │       -> Networking options                                                                                      │

  │         -> Network packet filtering framework (Netfilter) (NETFILTER [=y])                                       │

  │           -> Core Netfilter Configuration                                                                        │

  │             -> Netfilter Xtables support (required for ip_tables) (NETFILTER_XTABLES [=m])                       │

```

----------

## Mike Hunt

toralf

Yep, I already had the state match support, it was just the recent match support that was missing.   :Smile: 

cach0rr0

Ok, I'm not sure if I understand fully, but the German article seems to say that a timestamp is written to /proc/net/ipt_recent/DEFAULT, and if three unsuccessful login attempts occur within 1 minute, then the connection is reset. Otherwise after 1 minute a new connection to the ssh-server with 3 connection attempts is possible - if I understood correctly.   :Smile: 

----------

## Deem3n

To avoid this types of problems in future you can follow this guide and secure your daemon.

----------

## ferreirafm

 *cach0rr0 wrote:*   

> As well it's very possible I'm misreading the rules, and that somewhere in there the block is reset after a certain time period. This is among the reasons I like fail2ban - it isn't a permanent block. 

 

Just to share my experience with fail2ban, here goes my jail (hosts.deny) so far:

```
>externo ferreirafm > more /etc/hosts.deny

# Default policy: no access at all

# ALL: ALL

ALL: 200.82.186.133

ALL: 80.34.177.167

ALL:124.139.121.10

ALL:217.144.158.3

ALL:202.90.240.152

ALL:121.254.228.21

ALL:77.222.43.67

ALL:121.14.20.75

```

The first line was my previous policy before fail2ban. Allow some IPs and deny everybody. By the way, fail2ban has a permanent ban option by setting bantime=-1 in /etc/fail2ban/jail.conf.

For drunkers, put your home and work IPs into the /etc/hosts.allow. It will overcome deny rules if you get occasionally jailed.

Best of luck.

----------

