# Annoying remote login attempts [Solved]

## jeanfrancis

Hi guys !

I'm a n00b in security, and I need advice  :Wink: 

I was looking for HAL logs, and here is what I found  :Wink: 

```

Apr 25 11:28:25 jf sshd[8561]: Invalid user haley from 209.172.32.44

Apr 25 11:36:23 jf sshd[9568]: Invalid user thalia from 209.172.32.44

Apr 25 11:36:55 jf sshd[9639]: Invalid user hallie from 209.172.32.44

Apr 25 11:37:09 jf sshd[9667]: Invalid user haleigh from 209.172.32.44

Apr 25 11:38:20 jf sshd[9910]: Invalid user nathalie from 209.172.32.44

Apr 25 11:39:34 jf sshd[11700]: Invalid user halie from 209.172.32.44

Apr 25 11:41:34 jf sshd[9500]: Invalid user hali from 209.172.32.44

Apr 25 11:42:39 jf sshd[23008]: Invalid user halle from 209.172.32.44

Apr 25 11:49:01 jf sshd[23853]: Invalid user marshall from 209.172.32.44

Apr 25 11:51:39 jf sshd[25714]: Invalid user khalil from 209.172.32.44

```

I already found that I got this kind of fail logins on my FTP sersver...

What do I need to blacklist an IP adress after a bunch of fails?

IPTables ? 

Thanks  :Smile: Last edited by jeanfrancis on Sun Apr 29, 2007 6:03 am; edited 1 time in total

----------

## bunder

yep, iptables is the one.

if you have a router though, i'd add the rules there as opposed to on the ssh server... further upstream, the less lan/wan bandwidth waste.   :Wink: 

people will tell you to switch the port ssh is running on, but in all fairness, why should you... these automated drones should not be allowed to violate the world's network aup's.  i've gotten in the habit of cidr-banning all asian, south american and middle eastern networks. (with the exception of a few north american pains in the ass, like cogentco, cihost, serverpronto and soon verizon.)

edit:  if you can't go the upstream way, you might be interested in fail2ban... it actively scans logs and ipbans ip's who repeatedly try to log into the machine.

----------

## jeanfrancis

Hi !

Thanks for that quick answer.

My home router doesn't seem to have such configuration... So I'll go with fail2ban. Does I need IPTables anyway? (fail2ban will update IPTables' rules?)

----------

## bunder

 *jeanfrancis wrote:*   

> Hi !
> 
> Thanks for that quick answer.
> 
> My home router doesn't seem to have such configuration... So I'll go with fail2ban. Does I need IPTables anyway? (fail2ban will update IPTables' rules?)

 

yes, fail2ban requires iptables.

cheers

----------

## jeanfrancis

Well, I guess it's time for me to learn how to configure it  :Wink: 

Once IPTables configured and fail2ban started, do I need any other configuration? (does I have to tell to fail2ban to use IPTables somewhere?)

Thanks guys !

----------

## bunder

 *jeanfrancis wrote:*   

> Well, I guess it's time for me to learn how to configure it 
> 
> Once IPTables configured and fail2ban started, do I need any other configuration? (does I have to tell to fail2ban to use IPTables somewhere?)
> 
> Thanks guys !

 

yeah, there is a config file for fail2ban that you may need to edit, depending on what gentoo enables by default.

http://www.fail2ban.org/wiki/index.php/Category:Configuration

https://forums.gentoo.org/viewtopic-t-255103.html (main fail2ban thread)

cheers

----------

## jeanfrancis

Thanks !

I think this is done... waiting to see if any good result  :Smile: 

----------

## jeanfrancis

Just tested and it works  :Smile: 

----------

## bunder

 *jeanfrancis wrote:*   

> Just tested and it works 

 

excellent.  glad i could help.   :Smile: 

----------

## jeanfrancis

Oh, there is one thing...

After log attempts:

```

Chain fail2ban-SSH (1 references)

target     prot opt source               destination

DROP       0    --  bas2-quebec09-xxxxxxxxxx.dsl.bell.ca  anywhere

RETURN     0    --  anywhere             anywhere

```

(removed a part of my dns  :Wink: )

but... it seems I can still connect...  :Sad: 

I didn't set any "special" IPTables rules (accepting all connections on ports forwarded to my box by my router), but dropping what fail2ban would add... is this correct?

----------

## bunder

 *jeanfrancis wrote:*   

> I didn't set any "special" IPTables rules (accepting all connections on ports forwarded to my box by my router), but dropping what fail2ban would add... is this correct?

 

yes.   :Smile: 

edit: i'm afraid i'm not sure why that rule it made isn't working... maybe it banned the wrong ip? (try from outside the lan?)

i also think fail2ban might release the bans after a certain period of time.

----------

## jeanfrancis

Okay.

I was still able to connect once banned...

But I will wait for a "real" example  :Smile: 

----------

