# possible to prevent break-in attempts over ssh?

## dmccarthy

Hi,

I've a gentoo box on the internet. I occasionally see ssh break-in attempts in my /var/log/auth.log file, lines like

```

Aug 15 13:34:00 www1 sshd[18547]: Invalid user vincent from 80.48.253.130

Aug 15 13:34:02 www1 sshd[18549]: Invalid user women from 80.48.253.130

```

repeated ad-nauseam from the same address, trying different usernames. Now the box is safe from this sort of attack as it only allows access via public key, but the attempts annoy me. Is there any tool out there that denies access from a specific ip address if too many dodgy usernames are attempted? Indeed, is there some other way of thwarting such script-kiddie nonsense?

Thanks

Denis

----------

## Janne Pikkarainen

emerge fail2ban. Very simple to setup and it automatically bans some IP address for some period of time after X failed login attempts.

----------

## wynn

The Handlers Diary Security Tip of the day: Handling brute-force login attempts has some useful tips.

----------

## dmccarthy

I'll try it - thanks

----------

## James Wells

Greetings,

   I tried fail2ban and didn't like it.  Instead I use;

```

iptables -A SSHD -p tcp -m state --state NEW -m recent --update --seconds 86400 --hitcount 3 --rttl -j DROPLOG

iptables -A SSHD -p tcp -m state --state NEW -m recent --set -j ACCEPT

iptables -A DROPLOG -m limit --limit 3/minute --limit-burst 10 -j LOG --log-prefix 'iptables Droplog: '

iptables -A DROPLOG -j DROP

```

   Note that this method does not require any other packages than iptables and, for me anyway, works better than fail2ban and sshdfilter.

----------

## Janne Pikkarainen

James Wells: Wow. You must be the first one I've seen who doesn't like fail2ban. What was so annoying in it?  :Smile: 

----------

## James Wells

 *Janne Pikkarainen wrote:*   

> James Wells: Wow. You must be the first one I've seen who doesn't like fail2ban. What was so annoying in it? 

 

   It's not so much that I dislike it, more that I don't 'like' it.

   The reasoning is fairly simple.  The core functionality of both fail2ban and sshdfilter is using iptables to block port 22 access to specific hosts, based on source IP address.   The solution I posted does the exact same thing, just without the extra bells and whistles which I really see no need for.

   I should probably point out that this is one of the things I love most about Unix...   There is always more than one right way to do things.

----------

