If you’re using SSH and you have your ports wide open to the world, your best bet would be to install fail2ban. If you’re curious though as of whom is trying to get in by bruteforcing your SSH passwords, you might get a clear view with the following command:
grep “POSSIBLE BREAK-IN ATTEMPT” /var/log/auth.log
This will verbose a list detailing each break-in attempt that has been made, with the exact date, hour, minute and second of it. It will also display the point of origin of these attempts, in a fashion similar to this one:
Jul 21 13:54:35 brunner sshd[12144]: reverse mapping checking getaddrinfo for 66-195-150-176.static.twtelecom.net [66.195.150.176] failed – POSSIBLE BREAK-IN ATTEMPT!
Jul 21 13:54:38 brunner sshd[12146]: reverse mapping checking getaddrinfo for 66-195-150-176.static.twtelecom.net [66.195.150.176] failed – POSSIBLE BREAK-IN ATTEMPT!
Jul 21 13:54:42 brunner sshd[12152]: reverse mapping checking getaddrinfo for 66-195-150-176.static.twtelecom.net [66.195.150.176] failed – POSSIBLE BREAK-IN ATTEMPT!
Jul 21 13:54:45 brunner sshd[12155]: reverse mapping checking getaddrinfo for 66-195-150-176.static.twtelecom.net [66.195.150.176] failed – POSSIBLE BREAK-IN ATTEMPT!
Jul 21 13:54:49 brunner sshd[12163]: reverse mapping checking getaddrinfo for 66-195-150-176.static.twtelecom.net [66.195.150.176] failed – POSSIBLE BREAK-IN ATTEMPT!
Jul 21 13:54:52 brunner sshd[12165]: reverse mapping checking getaddrinfo for 66-195-150-176.static.twtelecom.net [66.195.150.176] failed – POSSIBLE BREAK-IN ATTEMPT!
Jul 21 13:54:56 brunner sshd[12171]: reverse mapping checking getaddrinfo for 66-195-150-176.static.twtelecom.net [66.195.150.176] failed – POSSIBLE BREAK-IN ATTEMPT!
Or on Fedora, and probably others:
grep 'POSSIBLE BREAK-IN ATTEMPT' /var/log/secureThis only checks one specific error, where the reverse IP lookup fails. If you only grep for that, you will miss all the brute force ssh attempts that happen to originate from IPs which do resolve successfully (which in my case is the vast majority)
I have had a lot of problems with brute force SSH break-in attempts
I solved it by adding two lines to my iptables (FEDORA) script:
-A RH-Firewall-1-INPUT -p tcp –dport 22 -m state –state NEW -m recent –set –name SSH
-A RH-Firewall-1-INPUT -p tcp –dport 22 -m state –state NEW -m recent –update –seconds 240 –hitcoun 2 –rttl –name SSH -j DROP
The above will allow 2 login attempts every 240 seconds.
Problem solved…
This is my method. It works effectively.
http://www.tuxopia.net/security_ssh_probe_block_script
A simple bash script that is cronned for every minute. Greps the logs for failed/invalid attempts and blocks the IP for ssh access.
You can couple this with other sshd configuration switches like MaxStartups, LoginGraceTime, MaxAuthTries, etc for better security.
@Rodger: yes, that will keep baddies from brute-forcing your ssh password. Unfortunately, it also looks like it will set you up for a denial of service condition. Quite unhandy if you have to SSH into your box while someone’s trying to hack it.
I use hosts.allow to block all but a few IPs. Then I allow only one user with a name that looks like a password. Then I use public-private keys.
Prior to this, viewing all of /var/log/auth.log and I found sites hitting every 4 seconds trying root + password, tom + password, jane + password etc.
Since these changes I only see connection refused for IP…. Haven’t seen any hits from the narrow range of IPs I allow. If they did they would not guess the valid user name, if they did they would not guess the 2048 character key.
@Joe. Good point. Sorry, I meant to say “The above will allow 2 login attempts every 240 seconds per IP address.”
So, to date I have not experienced a denial of service, even when the hack attempt is in in progress. I suppose if they spoofed a range of IP addresses there could be a denial of service situation. Generally when tying to hack a SSH port you need to set up a conversion, so spoofing is not an option for the SSH hack to succeed.
just use denyhosts. works like a charm.
Roger
I tried to add your 2 lines but I get an error on the 2nd line.
Cheers
Because it’s supposed to read “–hitcount 2” instead of “–hitcoun 2” (typo).
redacted@susan:~$ grep “POSSIBLE BREAK-IN ATTEMPT” /var/log/auth.log
grep: BREAK-IN: No such file or directory
grep: ATTEMPT”: No such file or directory
redacted@susan:~$ sudo !!
sudo grep “POSSIBLE BREAK-IN ATTEMPT” /var/log/auth.log
[sudo] password for redacted:
grep: BREAK-IN: No such file or directory
grep: ATTEMPT”: No such file or directory
/var/log/auth.log:Oct 26 02:44:51 susan sudo: redacted : TTY=pts/0 ; PWD=/home/mgranger ; USER=root ; COMMAND=/bin/grep “POSSIBLE BREAK-IN ATTEMPT” /var/log/auth.log
redacted@susan:~$