[Techtalk] 216 ssh login attempts, what to do?

aec brat at magma.ca
Tue Oct 12 21:17:32 EST 2004

Recently, someone has attempted to login to my debian woody
server 216 times.

Oct 12 03:50:55 lemonjelly sshd[5495]: Could not reverse map address
Oct 12 03:50:55 lemonjelly sshd[5495]: User root not allowed because
not listed in AllowUsers

I have 3 people in AllowedUsers, and if you do not use that username
and supply the right password, you dont get in. I am thinking that 
I should now limit the allowed users to specifc ip addresses also, to 
make it even harder, I would hope.

This person is trying root, www-data, nobody, backup and many common 
nix-like system usernames. 

I know very little about ipchains or tables, I think its tables these
days right? But i think I should sit down and spend some time learning
at least the basics...here is what I am thinking...

If the anyone has X number of failed attempts then ip block them. The 3 people
that do have access, are all friends that can email me or see me all
the time on irc, if they get blocked, Its no big deal to unblock them.

I have no other need to allow anyone ssh access and would like to
block anyone that tries. To be honest, if you try only 2 or 3 times
Id like some sort of way to block any more attempts,  ideally with a
script. I can understand once by mistake, but much more than that Id
just as soon not deal with that ip again. 

Now I am a little paranoid and probably should have been alot
paranoid when I opened the sshd port in the first place. I also 
have an apache server to worry about too :-\ 

I do keep checking  security updates twice a week at minimum and let
apt upgrade any new packages, but I think thats simply not enough. 

So, is there a quickstart quide to iptables, so I can at least get
this person off my logs so to speak? I will then try to make sense
of some of the tutorials and guides I have found so far. 
The man pages are confusing to say the least, but Ive only read it
once, not the required 3 times :-) 

Thanks for any tips or help!

Angelina Carlton

More information about the Techtalk mailing list