How do I stop bruteforce SSH login attempt?

Soo-Hyun Choi s.choi at hackers.org.uk
Wed Apr 12 19:04:23 UTC 2006


Okay, now, what if I would like to attack back to the machine? I guess
the machine performing the bruteforce ssh attack would also have been
cracked by somebody. Assuming the the attacking machine is the
originator, how do I fight back?

;-)

Soo-Hyun



On 4/12/06, email.listen at googlemail.com <email.listen at googlemail.com> wrote:
> Am Wed, 12. April 2006 13:50 schrieb Chris Peterman:
> > On Wednesday 12 April 2006 07:30, Soo-Hyun Choi wrote:
> > > Hi,
> > >
> > > A few days ago, I have noticed that my system is under constant
> > > attack(?) with a bruteforce SSH login - e.g., from a single IP
> > > address, it tries like 100 ~ 200 ssh login trial with all different
> > > user names, and go away.
> > >
> > > I know how to block it in a FreeBSD system with "denyhost" or
> > > "bruteforceblocker" from the ports, but I have little knowledge in my
> > > Ubuntu 5.10 box.
> > >
> > > Would there be anyone who could tell me something about it?
> > >
> > > Thank you.
> > > Soo-Hyun
> >
> > Just add "ALL: <offending IP Address>" to /etc/hosts.deny. Also HowtoForge
> > has a nice little DenyHosts script that takes care of these so-called
> > Dictionary Attacks
>
> Plus, add only allowed hosts to /etc/hosts.allow
>
> - Also 'man ssh_config' will give more information how to restrict ssh access
> to a machine. Have at least a look to the options 'CheckHostIP'
> and 'ConnectionAttempts'.
>
>
> - A good tool to have some kind of dynamic handling of such attacks is
> portsentry. Portsentry listens on ports defined in /etc/portsentry.conf and
> is able to add iptables rules to block suspicious attackers.
> E.G:
> ---8<---
> # iptables support for Linux
> #KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"
> #
> # iptables support for Linux with limit and LOG support. Logs only
> # a limited number of packets to avoid a denial of service attack.
>  KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP && /sbin/iptables -I
> INPUT -s $TARGET$ -m limit --limit 3/minute --limit-burst 5 -j
> LOG --log-level DEBUG --log-prefix 'Portsentry: dropping: '"
> ---8<---
>
> - What I would suggest if you are are familiar with administration is
> installing and configuring xinetd instead of inetd.
> xinetd is an replacement for the old inetd and allows to bind services to
> ip-addresses, e.g. to local addresses only and to restrict the acces to
> allowed ip-netmasks, eg. your local net.
> So xinetd is a good way to offer services only on the local net and not in the
> wild and evil internet and to restrict the acces to it.
>
> ---8<--- from /etc/xinetd.conf ---8<---
> service ssh
> {
>       port = 22
>       #the ip 192.168.10.5 is my local-net nic
>       bind = 192.168.10.5
>       socket_type = stream
>       protocol = tcp
>       user = templin
>       group = users
>       type = INTERNAL UNLISTED
>       wait = no
>       instances = 4
>       # access restricted to my local-net only
>       only_from = 192.168.10.0
> }
> ---8<---
>
> - Also a good book about Linux/Unix network security may be a good investment,
> if you read it of course the investment alone will not majke it. ;-)
> Over all I have to say that network security is one of the most interesting
> and dynamic fields in ITC, at least as interesting as GNU/Linux and Free
> Software. :))
>
>
>
> regards,
> Thomas
>
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>




More information about the ubuntu-users mailing list