Temporarily Disable IP - Debian

This is a discussion on Temporarily Disable IP - Debian ; -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi People, On my servers I'm repeatedly seeing unsuccessful ssh login attempts. Is there a way to temporarily disable such IPs which fail to authenticate ? Regards, rrs - -- Ritesh Raj Sarraf RESEARCHUT ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: Temporarily Disable IP

  1. Temporarily Disable IP

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Hi People,

    On my servers I'm repeatedly seeing unsuccessful ssh login attempts.

    Is there a way to temporarily disable such IPs which fail to authenticate ?

    Regards,

    rrs
    - --
    Ritesh Raj Sarraf
    RESEARCHUT -- http://www.researchut.com
    Gnupg Key ID: 04F130BC
    "Stealing logic from one person is plagiarism, stealing from many is
    research."
    "Necessity is the mother of invention."
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (GNU/Linux)

    iD8DBQFDRBc14Rhi6gTxMLwRAgOBAJ9IGstuhY5Ek710VO9NZe UGR4ZsuwCePiSI
    b7C9j/Ge3UnbsuPyoPRRnvM=
    =TPPc
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  2. Re: Temporarily Disable IP

    Op 5-okt-2005, om 20:10 heeft Ritesh Raj Sarraf het volgende geschreven:
    > On my servers I'm repeatedly seeing unsuccessful ssh login attempts.
    > Is there a way to temporarily disable such IPs which fail to
    > authenticate ?


    There sure is: DenyHosts.
    http://denyhosts.sourceforge.net/

    Hth,

    Max


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  3. Re: Temporarily Disable IP

    Ritesh Raj Sarraf schrieb:
    > Hi People,
    >
    > On my servers I'm repeatedly seeing unsuccessful ssh login attempts.
    >
    > Is there a way to temporarily disable such IPs which fail to authenticate ?


    you can use sshd's AllowUsers directive, to disable specific hosts/users
    or use /etc/hosts.deny. a firewall will also do. but keep in mind, that
    ip-addresses could be spoofed and passwords could be mistyped too.

    --
    BOFH excuse #411:

    Traffic jam on the Information Superhighway.


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  4. Re: Temporarily Disable IP

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Christian on Thursday 06 Oct 2005 01:15 wrote:

    > Ritesh Raj Sarraf schrieb:
    >> Hi People,
    >>
    >> On my servers I'm repeatedly seeing unsuccessful ssh login attempts.
    >>
    >> Is there a way to temporarily disable such IPs which fail to authenticate
    >> ?

    >
    > you can use sshd's AllowUsers directive, to disable specific hosts/users
    > or use /etc/hosts.deny. a firewall will also do. but keep in mind, that
    > ip-addresses could be spoofed and passwords could be mistyped too.
    >


    Yes, and that's my real problem.

    I need to allow my clients to have ssh access. I'm not sure if they are
    going to use strong passwords. No enforcement.

    The attacks are being made using a dictionary, I guess.
    For user foo they are trying 100's of combinations.

    I was looking for something like,
    if 5 unsuccessful ssh logins from IP x
    Temporarily Deny IP x

    Regards,

    rrs
    - --
    Ritesh Raj Sarraf
    RESEARCHUT -- http://www.researchut.com
    Gnupg Key ID: 04F130BC
    "Stealing logic from one person is plagiarism, stealing from many is
    research."
    "Necessity is the mother of invention."
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (GNU/Linux)

    iD8DBQFDRFUl4Rhi6gTxMLwRAsVaAJ9uSzdXGweRQqau4j8k0H djpouiegCeI9dN
    TD9Z5wriMvGMl6DyojZt/20=
    =w/R0
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  5. Re: Temporarily Disable IP

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Qualion System Administrator on Thursday 06 Oct 2005 01:35 wrote:

    > Op 5-okt-2005, om 20:10 heeft Ritesh Raj Sarraf het volgende geschreven:
    >> On my servers I'm repeatedly seeing unsuccessful ssh login attempts.
    >> Is there a way to temporarily disable such IPs which fail to
    >> authenticate ?

    >
    > There sure is: DenyHosts.
    > http://denyhosts.sourceforge.net/
    >
    > Hth,
    >
    > Max


    That is exactly what I was looking for.
    Thanks a ton.

    Regards,

    rrs
    - --
    Ritesh Raj Sarraf
    RESEARCHUT -- http://www.researchut.com
    Gnupg Key ID: 04F130BC
    "Stealing logic from one person is plagiarism, stealing from many is
    research."
    "Necessity is the mother of invention."
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (GNU/Linux)

    iD8DBQFDRFWm4Rhi6gTxMLwRAtywAJ4p26oyujSYzQGwMyDt4C lHWibU7gCfakQK
    7s6vnaHWEMndgoz4l8+J7YE=
    =32tZ
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  6. Re: Temporarily Disable IP

    On Thu, 06 Oct 2005 04:05:04 +0530
    Ritesh Raj Sarraf wrote:
    > I need to allow my clients to have ssh access. I'm not sure if they
    > are going to use strong passwords. No enforcement.
    >
    > The attacks are being made using a dictionary, I guess.
    > For user foo they are trying 100's of combinations.
    >
    > I was looking for something like,
    > if 5 unsuccessful ssh logins from IP x
    > Temporarily Deny IP x


    Hello,

    I think playing with LoginGraceTime is a better solution for this
    problem preventing e.g. the risk of a denial of service with spoofed
    addresses. Besides, encouraging users to use strong passwords is a must
    (I know a guy who is quite good in guessing passwords - once he guessed
    a password of a user in the 1st try by hand (not using a dictionary and
    the password wasn't the users name)).
    Additionally, most dictionary attacks on ssh focus on
    ssh-implementations not for Linux that come up with some
    default-accounts.

    Sincerely,
    Markus Beck


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  7. Re: Temporarily Disable IP

    On Thu, 06 Oct 2005 04:05:04 +0530
    Ritesh Raj Sarraf wrote:

    > I need to allow my clients to have ssh access. I'm not sure if they
    > are going to use strong passwords. No enforcement.
    >
    > The attacks are being made using a dictionary, I guess.
    > For user foo they are trying 100's of combinations.
    >
    > I was looking for something like,
    > if 5 unsuccessful ssh logins from IP x
    > Temporarily Deny IP x


    Hello,

    I think playing with LoginGraceTime is a better solution for this
    problem preventing e.g. the risk of a denial of service with spoofed
    addresses. Besides, encouraging users to use strong passwords is a must
    (I know a guy who is quite good in guessing passwords - once he guessed
    a password of a user in the 1st try by hand (not using a dictionary and
    the password wasn't the users name)).
    Additionally, most dictionary attacks on ssh focus on
    ssh-implementations not for Linux that come up with some
    default-accounts.

    Sincerely,
    Markus Beck


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  8. Re: Temporarily Disable IP

    > Is there a way to temporarily disable such IPs which fail to authenticate ?

    Doing each of these things has had a dramatic impact on the number of brute
    force attempts I see:
    1) limit the ips with a blacklist -> at continental granuarity
    2) limit the accounts that can login
    3) limit the number of attempts to 3 per 5 minutes per ip


    1) I used the raw ip blocks from "krfilter" to make a shorewall blacklist
    to disallow access from asian ips. (Not a good idea for a machine serving
    web pages or mail of course, this is for a personal machine.) If someone
    has a list of australian, european, etc I'd add those too...

    You can get the list I'm using for that from:
    http://www.hakusan.tsg.ne.jp/tjkawa/...ilter/uALL.txt

    2) I also limit the users with "AllowUsers" in my sshd_config.

    3) I followed these directions to get a "3 strikes and you're out for 5
    minutes" policy with shorewall (it's not totally spelled out but it will
    get you really close):
    http://lists.shorewall.net/pipermail...ry/017249.html

    Take care,
    Dale
    --
    Dale E. Martin - dale@the-martins.org
    http://the-martins.org/~dmartin


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  9. Re: Temporarily Disable IP

    hi there;

    also, changing the default port for the ssh greatly (100%) alleviates
    such bruteforcing and most important, the side effects. i've seen
    smaller machines (2xPII500) to go "high" loadavg only from this...
    errr.. usage. which is a problem in most cases - the tools used to brute
    force seems to be quite dumb and are eating up bandwith and cpu.
    changing the port is good "first aid".

    wwell edi

    Markus Beck wrote:

    >On Thu, 06 Oct 2005 04:05:04 +0530
    >Ritesh Raj Sarraf wrote:
    >
    >
    >
    >>I need to allow my clients to have ssh access. I'm not sure if they
    >>are going to use strong passwords. No enforcement.
    >>
    >>The attacks are being made using a dictionary, I guess.
    >>For user foo they are trying 100's of combinations.
    >>
    >>I was looking for something like,
    >>if 5 unsuccessful ssh logins from IP x
    >> Temporarily Deny IP x
    >>
    >>

    >
    >Hello,
    >
    >I think playing with LoginGraceTime is a better solution for this
    >problem preventing e.g. the risk of a denial of service with spoofed
    >addresses. Besides, encouraging users to use strong passwords is a must
    >(I know a guy who is quite good in guessing passwords - once he guessed
    >a password of a user in the 1st try by hand (not using a dictionary and
    >the password wasn't the users name)).
    >Additionally, most dictionary attacks on ssh focus on
    >ssh-implementations not for Linux that come up with some
    >default-accounts.
    >
    >Sincerely,
    >Markus Beck
    >
    >
    >
    >



    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

+ Reply to Thread