restrict ssh access - SSH

This is a discussion on restrict ssh access - SSH ; We have one ssh server which receives about 6000 failed attempts to login using various usernames everyday from malicious hosts (averaging about 1000 attempts from each distinct client IP address). Does anyone know if there is a way to restict ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: restrict ssh access

  1. restrict ssh access

    We have one ssh server which receives about 6000 failed attempts to login
    using various usernames everyday from malicious hosts (averaging about 1000
    attempts from each distinct client IP address).
    Does anyone know if there is a way to restict the number or rate of
    unsuccessful login attempts per client IP address? For example, configure
    ssh server to accept only one ssh connection request per minute from the
    same client IP address. Thanks very much.

    Simon(Xinming)



  2. Re: restrict ssh access

    "Xinming He" wrote in news:dopr4j$9r8$1@gist.usc.edu:

    > We have one ssh server which receives about 6000 failed attempts to
    > login using various usernames everyday from malicious hosts (averaging
    > about 1000 attempts from each distinct client IP address).
    > Does anyone know if there is a way to restict the number or rate of
    > unsuccessful login attempts per client IP address? For example,
    > configure ssh server to accept only one ssh connection request per
    > minute from the same client IP address. Thanks very much.
    >
    > Simon(Xinming)
    >
    >
    >


    I am having the same problem but not as much quantity as you. I have not
    fully solved the problem but believe I am on the correct path and just lack
    a few more settings to stop it completely

    are you using the ssh under cygwin by any chance? Im not sure if all of
    this works for openSSH but it appears as if most of it is a similar
    program. if so I'll try to relay all of what I have discovered so far.

    If you use cygwin go here and look at all the settings of this file

    c:\cygwin\etc\sshd_config

    # Authentication:

    #LoginGraceTime 2m
    #PermitRootLogin yes
    StrictModes no
    #MaxAuthTries 6

    the following is a portion of my file and the area i believe you want to
    modify.

    I'm guessing you would want to set it like this

    # Authentication:

    #LoginGraceTime 2m
    #PermitRootLogin yes
    StrictModes yes
    #MaxAuthTries 6

    if you want the maximum number of tries to change just take out the #
    symbol and change the number, same goes for the LoginGraceTime 2m

    hope that helps. i have not tried it myself but since I am having the same
    problem with attackers I think i will try that next to see how and if it
    works.
    ==================================================
    you can also try this if you know all the ip address of the computers that
    are trying to connect to your server

    modify the file c:\cygwin\etc\hosts.allow on the server to reflect the
    specific computers you want to access the service

    my particular file says the following (ip's changed to protect the
    innocent)

    #
    # hosts.allow This file describes the names of the hosts which are
    # allowed to use the local INET services, as decided
    # by the '/usr/sbin/tcpd' server.
    #
    #
    sshd: "some ip address no quotes" <-- put any ip addresses you want here
    sshd: 127.0.0.1 <--- this just lets the client computer access only ssh
    all: 127.0.0.1 <--- this lets the client computer access all services
    sshd: 127.0.0.2 <--- put new address in on the next line

    you can also do the same thing with hosts.deny to specifically block ip's
    that you know are attacking you

    ==================================================
    currently im trying to make it so the client needs a public/private key
    pair to be able to login. i can get my keys to work properly but i cant
    eliminate the keyless login feature that asks for a normal password.

    Here is some info on how to set up public / private keys the website i got
    it from is not up at the moment (maybe due to winter break at this guys
    school) but to give credit here it is


    http://www.mines.edu/~gmurray/HowTo/sshNotes.html
    the follwing was cut and slightly edited from the above link

    For public key private key opperation do the following
    Create your keys: You need to create private and public ssh keys and put
    them
    in the proper place with the proper permissions. In your home directory
    create
    a folder .ssh ($ mkdir .ssh), if there is none. Create the keys with the
    command

    $ ssh-keygen -t dsa

    The ssh-keygen program will ask for a passphrase, just hit the "Enter"
    key unless for some reason you know you want a passphrase. This creates
    the keys id_dsa and id_dsa.pub and puts them in .ssh/. The private key
    id_dsa must be readable only by you; change its permissions with

    $ chmod 600 .ssh/id_dsa

    Put the public key on the server: In this section we are assuming
    the remote server is also running OpenSSH. Somehow, you must get the
    ..ssh/id_dsa.pub key onto the remote server, whether by email, ftp,
    carrying it over on a floppy (sneakernet), etc.; the cool way to do it
    is to use scp, which was installed along with ssh. Suppose the remote
    server is named foobar.edu, and your account there is "dude". To copy
    the file to foobar, run

    $ scp .ssh/id_dsa.pub dude@foobar.edu:

    Don't forget the trailing colon. You will be asked for dude's password
    on foobar before the copying commences. The file will be copied to dude's
    home directory on foobar.

    Install the public key on the remote computer: (We assume the remote
    computer
    is running OpenSSH on Linux or UNIX!) Once id_dsa.pub is on the remote
    server, login into the remote server.
    From your home directory (where you should see your newly arrive
    id_dsa.pub) create a .ssh folder if none exists. Then append your
    id_dsa.pub
    to a file in .ssh with

    $ cat id_dsa.pub >> .ssh/authorized_keys

    This will create the file authorized_keys if none exists. The id_dsa.pub
    key may be removed from the remote computer's home directory, if you like.
    The .ssh folder on the remote computer must have the correct permissions,
    you may set them with

    $ chmod 4755 .ssh

    Checking the password-less connection: Now the command

    $ ssh dude@foobar.edu

    should give you a password-less connection to foobar.edu. Likewise,
    scp should be password-free.

    By the way, all the commands you do by first logging into the remote
    server can be done remotely using ssh. See the documentation for details.




    good luck

  3. Re: restrict ssh access

    On Mon, 26 Dec 2005 14:34:42 -0800, Xinming He wrote:

    > We have one ssh server which receives about 6000 failed attempts to login
    > using various usernames everyday from malicious hosts (averaging about
    > 1000 attempts from each distinct client IP address). Does anyone know if
    > there is a way to restict the number or rate of unsuccessful login
    > attempts per client IP address? For example, configure ssh server to
    > accept only one ssh connection request per minute from the same client IP
    > address. Thanks very much.
    >
    > Simon(Xinming)



    This is something I picked up at some newsgroup not long ago.


    #! /bin/sh
    #
    # This is a deterrent against SSH breakin attempts. Without this, /var/log/
    # messages tends to get flooded by traces from such attempts. The last two
    # lines of this script prevent such attempts to take place more frequently
    # than every 15 seconds. Effectively, a failed SSH login attempt from a given
    # IP address results in any further SSH login attempts from that address to
    # be summarily dismissed for 15 seconds. The first line in the script just
    # that this mechanism is not to be used for our internal network.


    iptables -A INPUT -p tcp -i eth0 -s 192.168.0.0/24 --dport 22 -j ACCEPT
    iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --update --seconds 15 -j DROP
    iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --set -j ACCEPT


+ Reply to Thread