Topic: Blocking attempts to hack into server

[mackayr]

I have recently had people attempting to guess usernames/passwords into my server (SSH).  I have this port open so that I can access my home computer from anywhere, otherwise I'd disable it.  Obviously I'd never be able to totally secure it, without also blocking access by me, but I'd like to at least change some settings to make it more secure.  Is there any way to block an IP after X unsuccessful login attempts?  Is there any way to impose a delay after an unsuccessful attempt?

Any ideas?

Thanks,

Rob

[gordonr]

I have recently had people attempting to guess usernames/passwords into my server (SSH).  I have this port open so that I can access my home computer from anywhere, otherwise I'd disable it.  Obviously I'd never be able to totally secure it, without also blocking access by me, but I'd like to at least change some settings to make it more secure.  Is there any way to block an IP after X unsuccessful login attempts?  Is there any way to impose a delay after an unsuccessful attempt?

- Use SSH public keys (search the boards for a HOWTO) - avoid password authentication
- SME7.0Alpha drops the connection after two failed attempts

[mackayr]

OK.  I've set up SSH key authorization, and it seems to be working great.  None of the intruders got in (apparently), but I've noticed something else.  Perhaps not highly surprising, but all 5-6 of the IP's I traced, were in Africa, Korea, China, etc...  I know that in North America, we're in the ARIN registry and I believe that I can find the spans of IP addresses assigned to all other regions.  How can I block a range of IP addresses from even attempting to log in.  I know that the key authorization is MUCH safer than what I had, but you can never be too paranoid.

Any suggestions?

Thanks,

Rob

[gordonr]

How can I block a range of IP addresses from even attempting to log in.

I would suggest allowing a specific range to log in, and blocking anyone else. See here:

http://forums.contribs.org/index.php?topic=27855.msg115824#msg115824

FYI - in 7.0alpha, I have added both AllowHosts and DenyHosts options to the packet filter.

[kruhm]

you could also turn off access from the outside. this forces a vpn or a remote desktop into your xp box.

[kruhm]

...

[mackayr]

I see now how to add a range of ipaddresses to allow, but how can I block (for example all of APNIC and others outside of North America).

Also, for periodic access, isn't SSH as secure as VPN?  And wouldn't a VPN mess up a computers connection with a remote network?  ie. If my computer is on Network A and I'm trying to VPN to Network B (SME Server), wouldn't that affect the resources available on Network A?

I hope this makes sense.

Thanks!

[gordonr]

I see now how to add a range of ipaddresses to allow, but how can I block (for example all of APNIC and others outside of North America).

I'm told some very nice people live outside North America

The ability to DenyHosts is only in the 7.0alpha stream - see my post earlier in this thread.

In any case, the list of networks to allow/deny will be huge - why not just allow the ones you care about?

Also, for periodic access, isn't SSH as secure as VPN?  

Yes, and arguably more so.

And wouldn't a VPN mess up a computers connection with a remote network?  ie. If my computer is on Network A and I'm trying to VPN to Network B (SME Server), wouldn't that affect the resources available on Network A?

That all depends on how the VPN and the client PC are configured.

[CharlieBrady]

Also, for periodic access, isn't SSH as secure as VPN?  

Yes, and arguably more so.

I don't think there's any argument. SSH with public key authentication *is* more secure than PPTP VPN with password authentication.

[gordonr]

I don't think there's any argument. SSH with public key authentication *is* more secure than PPTP VPN with password authentication.

Absolutely. But I didn't see mention of which VPN technology in this thread.

[mackayr]

I'm told some very nice people live outside North America

Yes, I know that's true.  But I'll not be outside of North America anytime in the near future.  Since virutally all of my attacks have been generated from there, I figured by blocking their whole range of IP addresses, I may virtually eliminate the hacking.  The only reason I am doing it this way (blocking access to certain ip addresses) is because I don't know the IP ranges of where I may want to log into from.  If I always logged in from the same place, then I'd know and would just open access to that particular range.

The ability to DenyHosts is only in the 7.0alpha stream - see my post earlier in this thread.

Is 7.0alpha relatively stable yet?

p.s. I posted another thread looking for the content of a file that I accidentally deleted.  Anyone able to send me that info?  The file is /etc/e-smith/events/actions/cups-anacron-logrotate.  I just need the text and hopefully it's not customized for my install.

[mackayr]

I don't think there's any argument. SSH with public key authentication *is* more secure than PPTP VPN with password authentication.

Absolutely. But I didn't see mention of which VPN technology in this thread.

Is there a more secure VPN technology than SSH key access?  I've never really experimented with VPN on my server, though I've had VPN access to another server.  Which is why my concerns about my client machine ... in that case it seemed to route my internet requests through their server instead of my own.  For example ... www.whatismyip.com indicated my ip address to be that of the server I had VPN access to, but when I disconnected, it reverted back to my own.  I wasn't comfortable with what else it may affect (ie. outgoing email, etc...)

[gordonr]

 Since virutally all of my attacks have been generated from there, I figured by blocking their whole range of IP addresses, I may virtually eliminate the hacking.  

I doubt it, myself.

The only reason I am doing it this way (blocking access to certain ip addresses) is because I don't know the IP ranges of where I may want to log into from.  If I always logged in from the same place, then I'd know and would just open access to that particular range.

It's going to be a big list.

Is 7.0alpha relatively stable yet?

Yes, though it's still an Alpha, so bugs are expected.

[mackayr]

It's going to be a big list.

I guess I thought it would be distinct ranges allocated to APNIC, ARIN, etc...  (like 200.0.0.0 - 234.255.255.255 may be allocated to APNIC).  I'm checking on their website, however, and it doesn't appear to be that simple.  I guess I'm the one with the naive (simple) mind.