[H-GEN] iptables autoblocking

Troy Piggins troy at piggo.com
Wed Jul 20 17:44:20 EDT 2005 

* Anthony Irwin <irwa82 at yahoo.com> :
> 
> I have been looking through my logs and noticed that
> over the last month I have had a large number of
> different ip addresses trying to login to my system
> via ssh with generated user names.

I have the same problem, regularly.

> I was wondering if there is a way I could easily write
> a script that automatically added invalid user login
> attempts via ssh to be blocked in iptables and added
> to a block list.

Not sure about how to write that script, and another reply to your
email has provided links to possible solutions.   However I was
reminded of someone's comment when I asked a similar question,
although not sure of the validity/accuracy.

They said quite often these IPs are not the actual attackers IP
address anyway, they are zombies or pwned machines that just have
bots on them to carry out these attacks.  So blocking the IP is not
treating the source of the problem, more of a bandaid approach.

For a while there I was doing a 'whois' on the IP addresses of
attempts, and they varied from Korea, South Africa, Taiwan,
Netherlands - all over the place.

Of course, at least blocking the address probably doesn't cause you
any drama directly, since it's unlikely that you will want to ssh in
from one of those addresses anyway.  So blocking is certainly a
solution. 

> below is a sample of my /var/log/auth.log file.
[snip]

> I would really like to be able to automatically block
> such attacks. I have thought about limiting ssh to
> certain ip addresses but would prefer to leave it open
> so I can login from anywhere.
> 
> Any suggestions would be apreciated.

Firstly, and you hopefully have done this already, is to not permit
root to login.

Secondly, if it's only you or a couple of user's that use ssh,
restrict the allowed users to just those few usernames.

/etc/ssh/sshd_config:
PermitRootLogin no
AllowUsers anthony

The other thing is to not allow password logins

PasswordAuthentication no
PermitEmptyPasswords no

and use private/public key authentication.  So even if they guess
your username, dictionary attacks on passwords are useless.

I like the other poster's link that suggested blocking more than 3
attempts through iptables, and might try to implement that myself.

Sorry I haven't provided a direct solution, just some thoughts.

-- 
Troy Piggins
e : troy at piggo.com
RedHat 9: mutt 1.5.9i, procmail 3.22, postfix 2.2.4, slrn 0.9.8.1,
          vim 6.1, kernel 2.4.20-31.9

More information about the General mailing list