[Techtalk] 216 ssh login attempts, what to do?

Raquel Rice raquel at thericehouse.net
Tue Oct 12 19:05:16 EST 2004

On Tue, 12 Oct 2004 21:17:32 -0400
aec <brat at magma.ca> wrote:

> Hey,
> Recently, someone has attempted to login to my debian woody
> server 216 times.
> Oct 12 03:50:55 lemonjelly sshd[5495]: Could not reverse map
> address
> Oct 12 03:50:55 lemonjelly sshd[5495]: User root not allowed
> because not listed in AllowUsers
> I have 3 people in AllowedUsers, and if you do not use that
> username and supply the right password, you dont get in. I am
> thinking that I should now limit the allowed users to specifc ip
> addresses also, to make it even harder, I would hope.
> This person is trying root, www-data, nobody, backup and many
> common nix-like system usernames. 
> I know very little about ipchains or tables, I think its tables
> these days right? But i think I should sit down and spend some
> time learning at least the basics...here is what I am thinking...
> If the anyone has X number of failed attempts then ip block them.
> The 3 people that do have access, are all friends that can email
> me or see me all the time on irc, if they get blocked, Its no big
> deal to unblock them.
> I have no other need to allow anyone ssh access and would like to
> block anyone that tries. To be honest, if you try only 2 or 3
> times Id like some sort of way to block any more attempts, 
> ideally with a script. I can understand once by mistake, but much
> more than that Id just as soon not deal with that ip again. 
> Now I am a little paranoid and probably should have been alot
> paranoid when I opened the sshd port in the first place. I also 
> have an apache server to worry about too :-\ 
> I do keep checking  security updates twice a week at minimum and
> let apt upgrade any new packages, but I think thats simply not
> enough. 
> So, is there a quickstart quide to iptables, so I can at least get
> this person off my logs so to speak? I will then try to make sense
> of some of the tutorials and guides I have found so far. 
> The man pages are confusing to say the least, but Ive only read it
> once, not the required 3 times :-) 
> Thanks for any tips or help!
> -- 
> Angelina Carlton

I use Shorewall (available via apt-get) to help build my firewall. 
The IP numbers can be added to a "blacklist" if you wish, although
I've not seen any attempts using the same IP numbers.

The best you can probably do is to make sure that your SSH
installation is secure ... no root login, authentication via key.  I
saw a site on locking down SSH, but don't know where it is right
now.  I'll send it when I find it.

Don't be afraid to give your best to what seemingly are small jobs.
Every time you conquer one it makes you that much stronger. If you
do the little jobs well, the big ones tend to take care of
  --Dale Carnegie

More information about the Techtalk mailing list