Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 12
I searched but couldn't find anything like this. We get regular "dictionary attacks" on our ssh ports. People or programs trying various username/password combination trying to log in. Sometimes close ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2006
    Location
    Los Angeles
    Posts
    7

    Can we limit login failures from an IP address


    I searched but couldn't find anything like this.

    We get regular "dictionary attacks" on our ssh ports. People or programs trying various username/password combination trying to log in. Sometimes close to a 1000. The next day reviewing the logs we block the addresses or range around the addresses if it looks like a dynamic ip using IPTables.

    Is there anyway to enforce a rule that says any particular source ip can only have so many login failures before it is shut down?

    Thanks,

    Joe

  2. #2
    Linux Newbie easuter's Avatar
    Join Date
    Jan 2006
    Location
    Portugal
    Posts
    194
    hmm...
    i'm not at all experienced in this sort of thing, but here are a few tips:

    i think you can block certain ip adresses using the hosts.deny file.

    first of all though, it might be better f you post the current contents of your /etc/hosts.deny file, in case you alreay have rules set.

    open a terminal and type:

    Code:
    cat /etc/hosts.deny
    that will tell you whats in the hosts.deny file.

    some distros like sure and fedora/redhat already come with gui tools for this kind of system administration, so we could also be more helpful if you tell us what distribution you are using.
    All Empires rise and fall. The Microsoft Empire has already risen, only one way to go now...

  3. #3
    Just Joined!
    Join Date
    Oct 2006
    Location
    Los Angeles
    Posts
    7
    Thanks for the suggestion. I'm using RedHat Enterprise 3.

    Hosts.deny is more benign than iptables DROP but neither do what I'm looking for.

    To try to clarify. As a security measure I would like to detect people and programs that are trying to login in using random username/password combinations and automatically keep them from stumbling onto a valid combination. Right now they get to try it one evening until I manually block them after seeing in my Logwatch report.

    Joe

  4. #4
    Linux Newbie easuter's Avatar
    Join Date
    Jan 2006
    Location
    Portugal
    Posts
    194
    hm, since you are using RHEL, is there any chance that RedHat might have a solution for this problem? you did pay for the support anyway...

    i'm not pushing you away, but i realy don't know what else i there is to do.
    All Empires rise and fall. The Microsoft Empire has already risen, only one way to go now...

  5. #5
    Just Joined!
    Join Date
    Oct 2006
    Location
    Wellington, NZ
    Posts
    16
    You could probably write a "daemon" shell script to read login failures off the logs: failed root attempts are logged but you could probably get other failures logging too. /var/log/messages records the IP address, and you could just grep for multiple failures from the same IP. with 'wc -l' you could check for more than x failures and add them to the hosts.deny.

  6. #6
    Just Joined!
    Join Date
    Oct 2006
    Location
    Los Angeles
    Posts
    7
    Quote Originally Posted by idle
    You could probably write a "daemon" shell script to read login failures off the logs: failed root attempts are logged but you could probably get other failures logging too. /var/log/messages records the IP address, and you could just grep for multiple failures from the same IP. with 'wc -l' you could check for more than x failures and add them to the hosts.deny.
    Thanks Idle!

    That sounds very doable. I'll get on it.

    Joe

  7. #7
    Just Joined!
    Join Date
    Jun 2006
    Location
    (.)
    Posts
    69
    There are a few main ways to stop a brute force attack

    - restricting the amount of login attempts that a user can perform
    - banning a users IP after multiple failed login attempts
    - keep a close eye on your log files for suspicious login attempts

    I would suggest you to install BFD tools from : http://rfxnetworks.com/bfd.php

  8. #8
    Just Joined!
    Join Date
    Oct 2007
    Posts
    1

    IP Tables

    The best way that I have found for doing this is this:
    sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
    sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP

    The downside to this is that every time you reboot or restart iptables you have to do this again. The easiest thing to do is put it in a bash script. There is a great article @ TechBlog - How to: Block brute force attacks with iptables

  9. #9
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Check out denyhosts and fail2ban.

  10. #10
    Linux Guru bigtomrodney's Avatar
    Join Date
    Nov 2004
    Location
    Ireland
    Posts
    6,125
    Although it's not a direct solution to your problem, the way I got rid of brute forcers was changing the ssh port. Since I changed it I have only had one attempt on my box - and I changed it maybe 18 months ago.

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •