SSH bruteforce attempts

Maniaman · Post by **Maniaman** » Sun Apr 09, 2006 11:23 am

Reading through my sshd logs, I've noticed quite a few attempts to bruteforce my sshd server. Nothing wrong with it, as they haven't come close to getting through, but I don't like the fact that I am getting spammed with connection attempts by various IPs every few days.

Would it be possible to write a script that would add an iptables rule blocking these ips after 5 or 10 incorrect login attempts, and log them to a file I could show on my website (running on the same machine)? If so, how would I go about doing it?

Edit: just came across this in the log

sshd:
Authentication Failures:
unknown (204.13.170.30): 2859 Time(s)
root (204.13.170.30): 130 Time(s)

and a lot more, totally close to 3500 connection attempts by the same ip in 1 day.

Just yesterday looking at the logs, I got nearly 2,000 connect attempts from about 5 different IP addresses.

Void Main · Post by **Void Main** » Sun Apr 09, 2006 12:17 pm

Have you looked in to port knocking? I use knockd which is really easy to install and configure. That way your ssh daemon's port is never open until you knock on the magic sequence of ports. But yes, you *could* easily write a script to determine who has excessive failures and block that address. The only problem with that is usually these attempts are automated and if a worm of some sort were to be behind it you would get connection attempts from thousands of hosts. Things start to slow down when you have thousands of iptables rules blocking hosts I've found. I used to automatically block any machines trying to hit me with Code Red. So I would suggest setting up a port knocker if you can.

Basher52 · Post by **Basher52** » Sun Apr 09, 2006 11:07 pm

I only the open the ssh port for just a few IP addresses that i trust.
home, work and a pal of mine

Void Main · Post by **Void Main** » Mon Apr 10, 2006 4:52 am

I also do that (open it to select IP networks) but I also use port knocking should I be somewhere else (hotel, etc) and need to get in.

Maniaman · Post by **Maniaman** » Tue Apr 11, 2006 2:49 pm

I'm thinking I might just restrict it to certain ip addresses. I can't really think of any reason I would need on it when I'm at a hotel or so. Port knocking sounds interesting, however I have to use PuTTy many tims to connect to it, and I'm not really sure how to set up port knocking with PuTTy

Void Main · Post by **Void Main** » Tue Apr 11, 2006 3:36 pm

You wouldn't set up anything with putty. There is a client you can install called "knock" that you just give it the sequence of ports. For example:

knock myserver.mydomain.com 7000:tcp 9000:udp 5000:tcp

You could just put that in a script (or batch file). When you give it the magic sequence you can have it open your ssh port up for the address that did the knocking for a specified amount of time or until another knock sequence is issued. There are many ways to configure it. You can also just use telnet to send the knock sequence if you don't have the knock client installed (for tcp ports anyway).