Login

qstraza · 2006-05-05, 11:28 PM

hello, once again me, i have alot of security problems as u see:P

this time i would like to know which stuff is the best against brute force on sshd. I found some scripts that adds ip to iptables... but im not sure which one to use... or is there any other way? its is not that i dont like that, its is cool but i would like u to tell your opinion on this one...

cu;)

tek-69 · 2006-05-06, 01:17 AM

Theres not much you can do about scanners if thats what you mean. That said, I use /etc/hosts.deny and my logs to pinpoint troublemakers and deny their ip. basically if i see someone tried more than 10 times to get in, they get added to the list and after that the connection is automatically rejected and packets are ignored. So far I'd say after about 3 or 4 months of use, I've blocked about 10 repeat offenders. Not great but it helps. I'm curious myself as to what other poeple are doing to deal with the situation since it seems to be a net wide issue.

***anyweb*** · 2006-05-06, 08:44 AM

this this ssh rate limiter

[/url][url=<___base_url___>/index.php?showtopic=1829][/url][url=<___base_url___>/index.php?showtopic=1829]https://www.linux-noob.com/forums/index.php?showtopic=1829

cheers

anyweb

xDamox · 2006-05-06, 10:36 AM

Hi,

Have a look at pam_abl [/url][url=http://www.hexten.net/pam_abl/]http://www.hexten.net/pam_abl/ I was going to do a tutorial on it

but its pretty straight forward

qstraza · 2006-05-06, 11:42 AM

im looking at /var/log/messages last few days more often and i cannot belive my eyes. Im getting brute forced 5 hours at night from one hosts. But hosts are changing... tek-69, i blocked 10 hosts in 2 days... its pritty hard to follow this hosts and block them as they do that... so lame, so truckin lame [img]<___base_url___>/uploads/emoticons/default_mad.gif[/img]

***anyweb*** · 2006-05-06, 12:21 PM

Code:
# Authentication:

AllowUsers qstraza

DenyUsers www, oracle, daemon, ftpd, spamd, test, guest, admin, patrick, rolo, iceuser, horde, cyrus, wwwrun, matt, jane, pamela, cosmin, cpi52, cpi51, noc, webmaster, user

that should be a good start (remember to restart the sshd service after making changes to that file

cheers

anyweb

qstraza · (This post was last modified: 2006-05-06, 12:34 PM by qstraza.)

thx anyweb... i dont have root allowed to login for few years now... and i have only 4 users on the server. Those who are bruteforcing me never tries the correct user this far... just same strange names (which are in the bruteforce username_file or sth).

I will realy change sshd port, i cant see any other solution at this point.

oh anyweb your iptables rules rules :P

i tried that rule from FluKex but i dont see the results.

root@black:~# ssh faf@my_ip

faf@my_ip's password:

Permission denied, please try again.

faf@my_ip's password:

Permission denied, please try again.

faf@my_ip's password:

Permission denied (publickey,password,keyboard-interactive).

root@black:~# ssh faf@my_ip

ssh: connect to host my_ip port 22: Connection refused

root@black:~# ssh faf@my_ip

ssh: connect to host my_ip port 22: Connection refused

root@black:~#

this is after adding this rule in to the iptables:

Code:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p tcp --dport 22 -m limit --limit 2/minute --limit-burst 1 -j ACCEPT

iptables -A INPUT -p tcp --dport 22 -j REJECT --reject-with tcp-reset

but before i tried this code:

Code:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p tcp --dport 22 -m limit --limit 2/minute --limit-burst 1 -j ACCEPT

iptables -A INPUT -p tcp --dport 22 -j REJECT --reject-with tcp-reset

what did i missed on the second code?

xDamox · 2006-05-06, 02:10 PM

Did you look at pam_abl?

qstraza · 2006-05-06, 02:39 PM

xDamox i did but i dont like this part:

Code:
Generally configured so that blacklisted users still see normal login prompts but are guaranteed to fail to authenticate.

When bruteforce is executed on my host it will still take my bandwidth right?

When i check logs and look at users who was attempted, im sure that they wont figure the real user not even the password. But i getting laged upon bruteforce, its like a dos for me, cuz i have low upload. So i need something to drop connection, not to just esure that they cant login.

cu

znx · 2006-05-06, 03:05 PM

Quote:Theres not much you can do about scanners if thats what you mean. That said, I use /etc/hosts.deny and my logs to pinpoint troublemakers and deny their ip. basically if i see someone tried more than 10 times to get in, they get added to the list and after that the connection is automatically rejected and packets are ignored. So far I'd say after about 3 or 4 months of use, I've blocked about 10 repeat offenders. Not great but it helps. I'm curious myself as to what other poeple are doing to deal with the situation since it seems to be a net wide issue.

The BEST solution .. is to completely reject ALL password logins.. Only accept Pkey !

[/url][url=<___base_url___>/index.php?showtopic=1696][/url][url=<___base_url___>/index.php?showtopic=1696]https://www.linux-noob.com/forums/index.php?showtopic=1696 :)

Login
Username/Email:
Password:	Lost Password?
	Remember me