# repetitive ssh logins by bots - any way to stop these?

## dilbot

I've noticed bots trying to repetitively ssh into my mail/web server, hundreds of times.  Mostly from Asia.  Is there a way to get these IP's locked out automatically after say 10 or 20 trys?

----------

## schwicky

Have a look at fail2ban. It allows you to specify iptables rules to block abusive ssh/apache/ftp/... failed logins

----------

## kilianh

To make ssh itself less prone to attacks like this I always use one or more of the following three techniques:

Use key based logins and disable password logins. Very secure and fairly simple to set up

Use iptables to allow ssh access from only a select few ip addresses (or only a single one). Very secure

Run ssh on a different port. Security by obscurity

Haven't looked at fail2ban yet but I highly recommend the first option

----------

## svancouw

We just noticed yesterday at 1 a.m. that my servers were getting hit pretty hard with that from Romania, and we installed denyhosts. That allows you to set how many attempts are made before they are banned, and for how long. Then, if they do it again, they are banned permenently. All IPs and hostnames are blocked by user hosts.deny.

This is a very effective means of stopping this sort of activity. It does use /var/log/messages to set up the banned IPs, so you might want to clear that log first, or else it will accidentally ban valid IPs. That is, for example, if you forgot your password and couldn't log in via ssh three times in a row, it would add your source IP to the banned list.

Our settings are three attempts, banned for a week. After that week, three more attempts, banned permanently. If you want to re-enable someone, just delete their IP or hostname from hosts.deny.

Hope this helps!

Sean

----------

## phatscum

I'll second fail2ban. Very easy and effective.

----------

## dilbot

All excellent suggestions - I've started looking at each package.   Thanks for your help!

----------

## James Wells

Greetings,

   If you already have IP tables installed, a simple solution is to modify your /etc/ssh/sshd_config file, changing MaxAuthTries to 2.   This will tell sshd to only allow two attempts per connect.  Then you simply add the following to your iptables rules;

```

iptables -A SSHD -p tcp -m state --state NEW -m recent --update --seconds 86400 --hitcount 3 --rttl -j DROPLOG

iptables -A SSHD -p tcp -m state --state NEW -m recent --set -j ACCEPT

iptables -A DROPLOG -m limit --limit 3/minute --limit-burst 10 -j LOG --log-prefix 'iptables Droplog: '

iptables -A DROPLOG -j DROP

```

   The first line says that if a site attempts to connect to SSH more than 3 times, within 24 hours, send that site to the table called DROPLOG.  Droplog then generates a syslog entry and drops the connection and all future attempts for the next 24 hours.

   I have found that this system works very well for me. YMMV of course.

----------

## mahuani

Another option might be denyhosts. It gives loads of configuration options and the ability to sync w/ a central server that keeps a list of ips know to be attacking.

```

emerge app-admin/denyhosts

```

----------

## kamagurka

I found that using a really strange portnumber for ssh works fine. If that fails, a big cardboard "no bots alowed here" sign on the workstation does wonders, too =D

----------

## .:chrome:.

 *kamagurka wrote:*   

> I found that using a really strange portnumber for ssh works fine. If that fails, a big cardboard "no bots alowed here" sign on the workstation does wonders, too =D

 

this can't solve the problem.

a portscan can found the new port number, and this method doesn't work with firewalls

the right solution is using tools such portsentry, denyhosts, or knockd

----------

## kamagurka

You are, of course, right. But doesn't choosing a very high non-standard portnumber protect you from portscans?

----------

## .:chrome:.

 *kamagurka wrote:*   

> You are, of course, right. But doesn't choosing a very high non-standard portnumber protect you from portscans?

 

this is true... but in this manner you can connect to your SSH server if you are over a firewall that (correctly) opens just port 22 and not others

----------

## kamagurka

 *k.gothmog wrote:*   

>  *kamagurka wrote:*   You are, of course, right. But doesn't choosing a very high non-standard portnumber protect you from portscans? 
> 
> this is true... but in this manner you can connect to your SSH server if you are over a firewall that (correctly) opens just port 22 and not others

 

I don't know how you do it, but I just forwarded the port. Or do you mean when you're behind a firewall that you don't control?

----------

## James Wells

 *kamagurka wrote:*   

> You are, of course, right. But doesn't choosing a very high non-standard portnumber protect you from portscans?

 

   Yes and No.   This will protect you from most script kiddie tools, however, those tools generally only scan standard ports.   Sadly, most of the bot / zombie nets are using tools vastly superior to what script kiddies use, tools that specifically scan ports in the 56K - 64K range specifically to look for these types of openings.   That's actually the reason I have given up on hiding ports, and instead have opted to simply use abuse blockers, like the IP tables piece I did above.

----------

