so i have two boxes at school (georgia tech), one is an ubuntu 7.10 server that just does file server duties and a RHEL 5 client box that does everything else

both have very public ip addresses with port 22 open for incoming connections (note it is a pain in the ass to change the port number)

i have seen that random people have just been trying to connect with invalid user names: root, adm, nfs, etc and random names like john, steve, amanda, etc

does anyone have a good way to automatically block addresses (maybe create a iptable listing to deny) where the user name is incorrect after maybe 2 or 3 tries? i already have 2 failed password attempts close the connection and root cant log on remotely

i guess that just greping the log with a script is going to be the way to do this so i guess if someone already has a script that works that would be great

3/21/2008 4:20:55 PM

2

3/21/2008 4:29:37 PM

"Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address."

sudo apt-get install fail2ban
http://fail2ban.sourceforge.net/rpms/

3/21/2008 4:43:13 PM

^Nice

3/21/2008 4:59:07 PM

I'd stick with plan A: don't use the 3-5 passwords these bots scan for. In fact, I'd go so far as to use a strong password.

Banning users after a few failed attempts definitely shrinks the window of opportunity, but we're talking reducing the probability of a successful brute force by a factor of say 100 (personally never seen one bot try more than a few hundred account/password combinations) vs the orders-of-magnitude-higher improbability of cracking a truly strong password. It's not worth the risk you'll lock yourself out and be unable to logon to recover, in my opinion

3/21/2008 11:55:56 PM

you also might want to look into turning off password logins and using public/private authorized keys. will prevent dictionary/precomputed attacks

3/22/2008 12:14:21 AM

^ Winn4r

3/22/2008 7:03:38 AM

+1 for using a key pair
if you don't want the boxes natted for some reason, I'd change the port for ssh, use key pairs, switch to blowfish password hashing, disable remote root, and probly handful of other things when it comes to specific services.

3/22/2008 10:21:03 AM

i would recommend just putting ssh on a different port - not sure why it is such a pain in the ass for you to do that


i've had problems before where bots opened so many connections to sshd that new connections would be refused.

3/22/2008 10:23:13 AM

What happens if a legitimate user forgets their login/password?

3/22/2008 10:34:31 AM

Quote :

"i would recommend just putting ssh on a different port - not sure why it is such a pain in the ass for you to do that"

well hopefully the guy in my department will get dns name and firewall access soon so that it will become less of a pain. its just a huge process and my advisor wanted to use port 22.

Quote :

"In fact, I'd go so far as to use a strong password."

those rules are already in place--users must have capital and lowercase letters, numbers, and special symbols in their password

Quote :

"disable remote root"

one of the first things i did

sounds like the key pairs may be the right idea...ill have to do some research on it because we all use different programs to connect, i use putty, one guy is using cygwin and my advisor uses some other program

3/22/2008 12:25:14 PM