# sshd brute force protection.

## XenoTerraCide

I'm wondering if anyone knows of a pam or sshd hack that would allow me to run a command after so many failed login attempts from a certain host. I'm hoping for something better than grep-ing through logs.

----------

## AaronPPC

No hack needed.  Take a look at fail2ban or denyhosts.  I use fail2ban and love it.

----------

## XenoTerraCide

those both seem to be log analysis tools which is something I'm hoping to avoid. if there isn't something that does it perhaps I should attempt to write it myself. I just don't want to re-invent the wheel. however the current wheel seems to be made of wood.... parsing logs is horribly inefficient when pam has the ability to keep track of the number of failed logins so it _shouldn't_ be to difficult to have it execute commands. the biggest problem I have is that I've started using ipset. 90% of the automated log scanning scripts have either crappy or ineffecient firewall rules on top of it.

----------

## dsegel

Running sshd on a non-standard port is all you need to avoid most scripted attacks.

----------

## XenoTerraCide

I'm not actually worried about anyone ever succeeding...  I don't allow root or any users in wheel to log in with a password. I figure most of the machines attacking mine probably do other "naughty" things... which means I can use the IP address I get from the attempts to block all access to the machine to keep them from trying to break other area's of the server which may not be protected and as well audited as ssh is.

----------

## Naib

I use to run on the default port-22 and I use to get about 3 attacks a day

I used to use blockhosts (which act on every ssh login/attempt). 

Denyhost is great as well but as stated non-standard port is the biggest thing you can do

----------

## ToeiRei

I have to agree with XenoTerraCide that log monitoring is not state of the art. Currently I am not allowing SSH access from the outside.

----------

## XenoTerraCide

actually I want them to attack ssh. better they attack that than a more vulnerable service. this is a web server so I have to have lots of stuff open, stealthing the ssh port is not an option.

----------

## ToeiRei

well... most kiddies 'scan' for specific services based on open ports. They try to exploit every open port on their list.

----------

## XenoTerraCide

exactly which would include 22,25,53,80,110,143,443, ... of all the services listening the only one I deem something I don't have to worry about it's ssh. although I'm sure apache and bind are well audited they can't say only 2 remotely exploitable flaws ever.

----------

## ToeiRei

I am running a couple of honeypots to see the incoming hits... it's really a pain.

But let's have a look at pam if there's a blacklist/blocker module;

----------

## XenoTerraCide

the only thing I've found is pam_abl, however it doesn't seem to add hosts to the firewall... I think it just keeps them from logging in.

----------

## hermanng

 *XenoTerraCide wrote:*   

> the only thing I've found is pam_abl, however it doesn't seem to add hosts to the firewall... I think it just keeps them from logging in.

 Yes, pam_abl is designed to maintain some automated host blacklists, requests from these will then be denied. But I don't think it will work with sshd (due to the way it is designed).

----------

## javeree_work

I use iptables with the 'recent' module to catch brute force attempts

I don't have access to my system now, but it's something similar

# $IPTABLES -A INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -m recent --name sshprobe --set -j ACCEPT

# $IPTABLES -A INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -m recent --name sshprobe --update --seconds 60 --hitcount 3 -j LOGDROP # LOGDROP is a chain that first logs the attacker and then drop him.

This is limited to sropping someone from retyring ssh brute force, but it can be generalized. A google with 'iptables recent' showed me this link: http://www.stearns.org/doc/adaptive-firewalls.current.html

Which shows an example of an attacker of a mail server being blocked for several minutes after 3 attempts.

Hope this helps

----------

## hermanng

You may also want to have a look at sshguard, which is quite new in portage.

----------

