ssh illegal login attempts

[jksdhausdfad]

Hi all,

I'm receiving illegal login attempts to ssh every 5 seconds, and cannot get iptables or hosts.deny to work. I've updated everything, tried all the forums, and it simply will not block these attempts.

sshd is started through inet.d and tcp wrappers are installed.

I am at my wits end with this since it simply refuses to honor the blocks and just keeps letting these scum through to try brute force usernames.

Does anybody have any suggestions? I can post whatever info may be needed to help diagnose why this does not work.

[bigtomrodney]

Leaving aside issues with iptables and hosts.deny, are you running on the default port 22? Generally it's considered best practice to move to a random higher port. This will prevent (or make it more difficult) for automated brute force attacks. When I started out I ran on port 22 and had 10-15 attempts per minute on my system. After moving to another port I haven't had a single unauthorised attempt to log on to my machine and it's been over three years!

I'd take a look at that first and then maybe someone else can give you a hand with the other issues.

[jksdhausdfad]

No, its not running on port 22. In fact, this is a fairly high-profile machine, so I changed the port number several times and they were on it again within minutes.

[HROAdmin26]

Your best friend - Fail2Ban

[jksdhausdfad]

Doesn't fail2ban just work with iptables? If iptables will not operate by itself with ssh, how would fail2ban help?

[HROAdmin26]

To say that iptables "doesn't work" is absurd. Iptables works and is use by millions of systems globally.

If you are unable to craft a rule to block port XXX from certain IP's, then maybe the automated workings of fail2ban will help.

Fail2ban also has the added bonus of being automated. A rule manually created in iptables must be manually deleted, and future login attempts would require more rules to be created (manually.)

The hosts.deny file is used by the tcpwrapper (x)inetd. If your ssh server is running as a daemon (which it usually is), then hosts.deny will have no effect because the ssh server is not running "behind" xinetd.

Google: iptables block ssh => 5 methods to prevent SSH attacks

[jksdhausdfad]

I've said already, I've tried getting iptables to block ip addresses for ssh, and it does not work. I'm not suggesting the software doesn't work in general, I'm suggesting it does not block requests coming into SSH on this one machine, and I cannot figure out why. Simply telling me it works for everyone else is not helpful.

[HROAdmin26]

Simply telling us "it won't work" is not helpful. Iptables is the primary driver behind every Linux firewall I can think of.

You're telling us "the engine won't work. What else can I use to drive the car?"

My suggestion is to troubleshoot/fix the engine.

[jksdhausdfad]

Well, troubleshoot it is exactly what I'm trying to do. I suppose installing fail2ban isn't too hard a thing to do, even if it seems pointless.

[jksdhausdfad]

As I suspected, it does not appear to work. It is registering the IP to ban, but not successfully blocking it. The fail2ban.log shows the repeated "already banned" since the IP keeps showing up as having gotten through. There must be some other configuration/library that is missing or broken here.

2009-06-17 16:52:06,531 fail2ban.filter : INFO Set maxRetry = 6
2009-06-17 16:52:06,533 fail2ban.filter : INFO Set findtime = 600
2009-06-17 16:52:06,535 fail2ban.actions: INFO Set banTime = 600
2009-06-17 16:52:06,664 fail2ban.jail : INFO Jail 'ssh' started
2009-06-17 16:52:07,749 fail2ban.actions: WARNING [ssh] Ban 190.2.35.25
2009-06-17 16:53:43,763 fail2ban.actions: WARNING [ssh] 190.2.35.25 already banned
2009-06-17 16:55:03,762 fail2ban.actions: WARNING [ssh] 190.2.35.25 already banned
2009-06-17 16:57:28,760 fail2ban.actions: WARNING [ssh] 190.2.35.25 already banned
2009-06-17 16:58:38,759 fail2ban.actions: WARNING [ssh] 190.2.35.25 already banned
2009-06-17 16:59:53,758 fail2ban.actions: WARNING [ssh] 190.2.35.25 already banned