locking out sshd break in attempts? - Mandriva

This is a discussion on locking out sshd break in attempts? - Mandriva ; Exactly one machine that I manage is allowed to accept off campus ssh connections. When the hackers find it they blast away at it with a zillion log in attempts in rapid succession. (So far no evidence that anybody has ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: locking out sshd break in attempts?

  1. locking out sshd break in attempts?

    Exactly one machine that I manage is allowed to accept off campus ssh
    connections. When the hackers find it they blast away at it with a
    zillion log in attempts in rapid succession. (So far no evidence that
    anybody has gotten in though.) These show up in /var/log/messages like
    this:

    sshd[6154]: warning: /etc/hosts.allow, line 6: host name/name mismatch:
    webdfw.com != capstonea-11.august.net
    sshd[6154]: Address 76.12.88.13 maps to webdfw.com, but this does not
    map back to the add
    ress - POSSIBLE BREAK-IN ATTEMPT!
    sshd[6154]: Invalid user indiana from 76.12.88.13
    sshd[6155]: input_userauth_request: invalid user indiana
    sshd[6154]: error: Could not get shadow information for NOUSER
    sshd[6154]: Failed password for invalid user indiana from 76.12.88.13
    port 57218 ssh2

    Rather than logging these, which is what the MaxAuthTries parameter in
    /etc/ssh/sshd_config controls, I'd like to lock out further login
    attempts from that IP address for some period of time (an hour, for
    instance) after N (3 or 4) failed login attempts.

    Can this be done with settings in /etc/ssh/sshd_config or perhaps
    through msec?

    Mdv 2007.1
    openssh-server-4.6p1-1mdv2007.1

    Thanks,

    David Mathog

  2. Re: locking out sshd break in attempts?

    David Mathog writes:

    >Exactly one machine that I manage is allowed to accept off campus ssh
    >connections. When the hackers find it they blast away at it with a
    >zillion log in attempts in rapid succession. (So far no evidence that
    >anybody has gotten in though.) These show up in /var/log/messages like
    >this:


    >sshd[6154]: warning: /etc/hosts.allow, line 6: host name/name mismatch:
    >webdfw.com != capstonea-11.august.net
    >sshd[6154]: Address 76.12.88.13 maps to webdfw.com, but this does not
    >map back to the add
    >ress - POSSIBLE BREAK-IN ATTEMPT!
    >sshd[6154]: Invalid user indiana from 76.12.88.13
    >sshd[6155]: input_userauth_request: invalid user indiana
    >sshd[6154]: error: Could not get shadow information for NOUSER
    >sshd[6154]: Failed password for invalid user indiana from 76.12.88.13
    >port 57218 ssh2


    >Rather than logging these, which is what the MaxAuthTries parameter in
    >/etc/ssh/sshd_config controls, I'd like to lock out further login
    >attempts from that IP address for some period of time (an hour, for
    >instance) after N (3 or 4) failed login attempts.


    >Can this be done with settings in /etc/ssh/sshd_config or perhaps
    >through msec?


    Well, I do it by having a script which places teh IP address into
    /etc/hosts.allow into an
    sshd: .... :deny
    line which comes after a sshd: ..... :allow line to place whitelisted
    clients on. Ie, I just deny an IP forever if it does more than 20 "invalic
    user" attempts.



    >Mdv 2007.1
    >openssh-server-4.6p1-1mdv2007.1


    >Thanks,


    >David Mathog


  3. Re: locking out sshd break in attempts?

    On Thu, 17 Jan 2008, David Mathog wrote:

    >
    > Exactly one machine that I manage is allowed to accept off campus
    > ssh connections. When the hackers find it they blast away at it
    > with a zillion log in attempts in rapid succession. (So far no
    > evidence that anybody has gotten in though.)
    > ....
    > Rather than logging these, which is what the MaxAuthTries parameter
    > in /etc/ssh/sshd_config controls, I'd like to lock out further login
    > attempts from that IP address for some period of time (an hour, for
    > instance) after N (3 or 4) failed login attempts.
    >
    > Can this be done with settings in /etc/ssh/sshd_config or perhaps
    > through msec?


    I use an adapted version of Lawrence D'Oliveiro's script here

    http://groups.google.co.uk/group/com...e?dmode=source

    do a
    Status = os.system("shorewall allow %s" % self.Addr)

    (and the converse) rather than the iptables change as it doesn't
    co-exist with shorewall, others seem to prefer denyhosts
    http://denyhosts.sourceforge.net/

    I also only allow pass phrase connections (at least on this m/c)

    Robert
    --
    La grenouille songe..dans son ch√Ęteau d'eau
    Links and things http://rmstar.blogspot.com/

+ Reply to Thread