Can we limit login failures from an IP address

[areeda]

I searched but couldn't find anything like this.

We get regular "dictionary attacks" on our ssh ports. People or programs trying various username/password combination trying to log in. Sometimes close to a 1000. The next day reviewing the logs we block the addresses or range around the addresses if it looks like a dynamic ip using IPTables.

Is there anyway to enforce a rule that says any particular source ip can only have so many login failures before it is shut down?

Thanks,

Joe

[easuter]

hmm...
i'm not at all experienced in this sort of thing, but here are a few tips:

i think you can block certain ip adresses using the hosts.deny file.

first of all though, it might be better f you post the current contents of your /etc/hosts.deny file, in case you alreay have rules set.

open a terminal and type:

Code:

cat /etc/hosts.deny

that will tell you whats in the hosts.deny file.

some distros like sure and fedora/redhat already come with gui tools for this kind of system administration, so we could also be more helpful if you tell us what distribution you are using.

[areeda]

Thanks for the suggestion. I'm using RedHat Enterprise 3.

Hosts.deny is more benign than iptables DROP but neither do what I'm looking for.

To try to clarify. As a security measure I would like to detect people and programs that are trying to login in using random username/password combinations and automatically keep them from stumbling onto a valid combination. Right now they get to try it one evening until I manually block them after seeing in my Logwatch report.

Joe

[easuter]

hm, since you are using RHEL, is there any chance that RedHat might have a solution for this problem? you did pay for the support anyway...

i'm not pushing you away, but i realy don't know what else i there is to do.

[idle]

You could probably write a "daemon" shell script to read login failures off the logs: failed root attempts are logged but you could probably get other failures logging too. /var/log/messages records the IP address, and you could just grep for multiple failures from the same IP. with 'wc -l' you could check for more than x failures and add them to the hosts.deny.

[areeda]

You could probably write a "daemon" shell script to read login failures off the logs: failed root attempts are logged but you could probably get other failures logging too. /var/log/messages records the IP address, and you could just grep for multiple failures from the same IP. with 'wc -l' you could check for more than x failures and add them to the hosts.deny.

Thanks Idle!

That sounds very doable. I'll get on it.

Joe

[mitto]

There are a few main ways to stop a brute force attack

- restricting the amount of login attempts that a user can perform
- banning a users IP after multiple failed login attempts
- keep a close eye on your log files for suspicious login attempts

I would suggest you to install BFD tools from : http://rfxnetworks.com/bfd.php

[bsisco]

The best way that I have found for doing this is this:

sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP

The downside to this is that every time you reboot or restart iptables you have to do this again. The easiest thing to do is put it in a bash script. There is a great article @ TechBlog - How to: Block brute force attacks with iptables

[anomie]

Check out denyhosts and fail2ban.

[bigtomrodney]

Although it's not a direct solution to your problem, the way I got rid of brute forcers was changing the ssh port. Since I changed it I have only had one attempt on my box - and I changed it maybe 18 months ago.