# how do I delay or ban an IP from ssh into my box?

## genfive

my syslog shows that someone is trying to brute-force ssh into my home linux box with all different username password combos... it seems to be from this one IP.

Is there a way to configure my sshd so that after a number of unsuccessful tries, it will ban that particular IP, or at least delay it for a while? thanks.

----------

## wynn

Shouldn't this be something for your firewall?

----------

## genfive

 *wynn wrote:*   

> Shouldn't this be something for your firewall?

 

my firewall? it is a dlink 4port router. sure I can put the IP manually in there, but 1. it is not automatic, and 2. the little box has limited memory capacity

----------

## NeddySeagoon

genfive,

Its a standard user/passwd guessing script. I get attacks like that most days from different IPs.

Make sure that sshd does not accept root logins - everyone has a root user, so there is no point in giving that information away.

Enforce strong passwords - thats easy if you have cracklib. Better, use key based authenticaltion, so you can disable passwords.

Your users then need to provide you with their public key and have their private key available to authenticate.

Run ntp-client and ntpd, so when you get bored, you can complain to the orignating ISPs. Accurate time allows the ISP to track down users with dynamic IPs.

If you still have problems, begin populating /etc/hosts.deny with IPs to reject, or better, /etc/hosts.accept.

----------

## genfive

 *NeddySeagoon wrote:*   

> genfive,
> 
> Its a standard user/passwd guessing script. I get attacks like that most days from different IPs.
> 
> Make sure that sshd does not accept root logins - everyone has a root user, so there is no point in giving that information away.
> ...

 

Hi Neddy,

Cool. I am new to this linux stuff, let along security.  I will disable root logins.  What is that cracklib you are talking about? Thanks.

----------

## The Mad Crapper

 *genfive wrote:*   

> my syslog shows that someone is trying to brute-force ssh into my home linux box with all different username password combos... it seems to be from this one IP.
> 
> Is there a way to configure my sshd so that after a number of unsuccessful tries, it will ban that particular IP, or at least delay it for a while? thanks.

 

I had the same thing going on, and after looking up all the IP addresses on ARIN, found they were all in China. I have no friends in China. So i just used iptables to drop anything from those networks... 

```
emerge iptables

/etc/init.d/iptables start

iptables -A INPUT -s X.X.X.X -j DROP

/etc/init.d/iptables save
```

----------

## genfive

 *The Mad Crapper wrote:*   

>  *genfive wrote:*   my syslog shows that someone is trying to brute-force ssh into my home linux box with all different username password combos... it seems to be from this one IP.
> 
> Is there a way to configure my sshd so that after a number of unsuccessful tries, it will ban that particular IP, or at least delay it for a while? thanks. 
> 
> I had the same thing going on, and after looking up all the IP addresses on ARIN, found they were all in China. I have no friends in China. So i just used iptables to drop anything from those networks... 
> ...

 

I will do the same... BTW, can someone give me a quick lesson on how to use cracklib?

----------

## NeddySeagoon

genfive,

The passwd commad does it all for you. Root can set any password on any account but may get a warning that its based on a dictonary word.

Users are now forced to set strong passwords. Any password that fails complexity tests is refused.

So ... expire all your users passwords, that forces them to set new ones as themselves before they get to the shell prompt.

I've seen these attacks come from the far East, the USA and the UK. In many cases they come from zombie boxes (already compromised).

Run chkrootkit on a regular basis. If it finds something, you have had a break in, the converse is not true however.

Look at tripwire too. That maintains md5sums of all the files on your box, so can identify any changed files.

----------

## genfive

 *NeddySeagoon wrote:*   

> genfive,
> 
> ...
> 
> I've seen these attacks come from the far East, the USA and the UK. In many cases they come from zombie boxes (already compromised).
> ...

 

Cool thanks. I just installed both and checked for rootkit. I think my box is still okay - even though there is a chance of false negative...

----------

## Utoxin

One word: denyhosts

Emerge it, configure it, start it, never worry about brute-force SSH attacks again.  :Smile: 

----------

## Erlend

 *Quote:*   

> Look at tripwire too. That maintains md5sums of all the files on your box, so can identify any changed files.

 

Doesn't portage already do that?

```
equery check xorg-x11
```

 *Quote:*   

> my firewall? it is a dlink 4port router. sure I can put the IP manually in there, but 1. it is not automatic, and 2. the little box has limited memory capacity

 

There are tools for this: they integrate with iptables.  http://gentoo-wiki.com/HOWTO_Protect_SSHD_with_DenyHosts

 *Quote:*   

> Make sure that sshd does not accept root logins - everyone has a root user, so there is no point in giving that information away.

 

What if you want to use root through ssh?  Can you "su -" up to root once you're logged in?

 *Quote:*   

> Enforce strong passwords - thats easy if you have cracklib. Better, use key based authenticaltion, so you can disable passwords. 

 

Can you have both password and key based authentication?

----------

## genfive

 *Erlend wrote:*   

>  *Quote:*   Look at tripwire too. That maintains md5sums of all the files on your box, so can identify any changed files. 
> 
> Doesn't portage already do that?
> 
> ```
> ...

 

I am not sure about the rest, but yes, I can su once I logged in as a normal user, because that username is in the wheel group.  Also, i thought sshd by default uses PAM login with key authentications, but I could be wrong.

----------

## beatryder

 *Erlend wrote:*   

>  *Quote:*   Look at tripwire too. That maintains md5sums of all the files on your box, so can identify any changed files. 
> 
> Doesn't portage already do that?
> 
> ```
> ...

 

You would be correct, save for one thing, tripwire is an active service, meaning it will email you, or otherwise notify you when files have been changed by non authorized users.

----------

## genfive

 *beatryder wrote:*   

>  *Erlend wrote:*    *Quote:*   Look at tripwire too. That maintains md5sums of all the files on your box, so can identify any changed files. 
> 
> Doesn't portage already do that?
> 
> ```
> ...

 

heck, that wont do me no good, for the past couple days, I was struggling trying to get an smtp server working, so far, only have it effed up even more.

----------

## NeddySeagoon

Erlend,

Providing your ordinary user is in the wheel group, you can su to root over ssh.

It makes it much harder for crackers to get root access.

If you want to make things difficult when they do get in, have a seperate home and mount it noexec.

That way thay can't install and run any software. /tmp should already be noexec.

You can have both passwd and key access but if users don't offer a key, ssh falls back to password authentication, so its no better.

Both is the default.

----------

## mazaryk

Just a tip,

Hide the front door! i.e. move ssh off port 22.

----------

## NeddySeagoon

mazaryk,

There is no security in obscurity.

----------

## mazaryk

True, obscurity is not security in of it's self. However, for example, many companies have "trade secrets" which are protected mostly through obscurity. Also, many (if not all) security professionals will say that a layered approach is best. Obscurity is simply one more layer, a tissue paper thin one, but one none the less. Sometimes the simple approaches are the most effective.

Point is, using a non-standard ssh port will, at the very least, significantly reduce automated user/pass guessing attempts.

----------

## NeddySeagoon

mazaryk,

I concurr with all of that.

----------

